The Health Insurance Portability and Accountability Act (HIPAA) was enacted to ensure organizations can effectively safeguard the privacy and security of sensitive protected health information (PHI). As the healthcare industry and available technologies continue to evolve, and organizations adapt to the increasing cybersecurity risks and threats to their systems, the HIPAA rule needs to evolve as well.
The Department of Health and Human Services (HHS) published a Final Rule on April 26, 2024, to amend the HIPAA regulations. This new rule went into effect on June 25, 2024, and includes the following provisions:
-
Enhanced Patient Rights
Patients can inspect their PHI in person, take notes or photos, and request electronic copies of their records. They can also request corrections to inaccurate information. Healthcare providers must make it easy for patients to exercise these rights and ensure that procedures are transparent and accessible. The maximum time for an organization to provide access to PHI was also reduced from 30 days to 15 days.
-
Transferring PHI
Individuals can directly transfer their PHI to a third party if it is maintained in an Electronic Health Record (EHR).
-
Protections for Reproductive Health Care
New provisions are included to protect patient-provider confidentiality and prevent private medical records from being used against patients for seeking reproductive health care. The disclosure of PHI related to reproductive health care is prohibited if it is used to investigate or impose liability on individuals or healthcare providers. Regulated healthcare providers, plans, and clearinghouses must obtain a signed attestation that certain requests for PHI are not for prohibited purposes.
-
Updated Breach Notification Requirements
Healthcare entities must have a comprehensive breach notification plan in place, including procedures for identifying, investigating, and reporting breaches to the HHS. The rule has new requirements for the information that must be provided to consumers in breach notifications.
It permits notifications to be made via email and other electronic methods, and the timescale for issuing notifications has been changed to within 60 days of the discovery of a breach. The Federal Trade Commission (FTC) must be notified at the same time if the breach involves the information of 500 or more individuals.
-
Notice of Privacy Practices
The Privacy Notice must explain what PHI may be disclosed, to whom, and why. It must also explain an individual’s right to access, amend, or transfer their PHI.
Healthcare organizations and business associates must comply with the new restrictions on the use and disclosure of PHI by December 23, 2024. They must comply with the new notice of privacy practices requirements by February 16, 2026.
There have also been moves to strengthen overall cybersecurity requirements. HIPAA requires organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Most of the Office for Civil Rights (OCR) large breach investigations reveal a lack of compliant risk analysis, and the OCR has shared they will be prioritizing investigations following HIPAA complaints and breaches, with an increased focus on hacking and ransomware breaches.
In 2023, HHS released voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations implement high-impact cybersecurity practices. These goals include best practices such as mitigating known vulnerabilities, email security, implementing multi-factor authentication, end-user cybersecurity training, strong encryption, incident planning and preparedness, separate user and privileged accounts, and vendor/supplier oversight.
In February 2024, NIST SP 800-66 Rev.2 published, “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide” which includes resources to help improve the overall understanding of the Security Rule and bolster cybersecurity.
RELATED: Achieve HIPAA Compliance with These 10 Steps
If you have questions regarding how the HIPAA Privacy or Security Rules apply within your organization, please reach out to your dedicated CampusGuard team or contact us. Preview CampusGuard’s updated 2024 HIPAA compliance training by requesting demo access to review how this ongoing training can help educate your staff.
Watch our video about new updates to our HIPAA awareness training.
