New HIPAA Regulations in 2022

While nothing has been confirmed yet, the Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) on Dec. 10, 2020, that proposed changes to HIPAA regulations and the HIPAA Privacy Rule. A final rule is expected to be issued in 2022; however, an effective date is yet to be provided.

Is HIPAA changing in 2022?

While these proposed HIPAA changes may be overwhelming, nothing is set in stone yet, and it cannot be said for sure if there will be new HIPAA regulations in 2022. 

2021 HIPAA Safe Harbor law

Before diving into the proposed changes to be made to HIPAA’s standard practices in 2022, we first need to look at past changes. On Jan. 5, 2021, the HIPAA Safe Harbor bill was signed into law by President Donald Trump, amending the Health Information Technology for Economic and Clinical Health Act. The purpose of the amendment is to encourage healthcare organizations to adopt recognized cybersecurity practices to better improve their defenses against cyberattacks. The amendment also requires the Department of Health and Human Services (HHS) to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented. 

21st Century Cures Act

In 2016, the 21st Century Cures Act was introduced to encourage innovation in medical research. The Cures Act called for HHS to create a new rule that would improve the flow of healthcare data between providers, patients, and developers of health IT such as electronic health record (EHR) vendors. 

The final rules promote patient access to electronic protected health information (ePHI) and are intended to make access easier. It is possible that HIPAA policies and procedures could violate the Office of the National Coordinator for Health Information Technology final rule if they include practices considered to constitute information blocking. Any entity that engages in information blocking can face financial penalties, which are capped at $1 million (adjusted annually for inflation).

New HIPAA regulations change process

The process of making HIPAA updates is slow. The HHS seeks feedback on aspects of HIPAA regulations that are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law. After considering the feedback, the HHS then submits an NPRM, which is followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule is issued. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes become enforceable.

New HIPAA regulations are expected in 2022 when the OCR publishes the final rule on the proposed changes to the HIPAA Privacy Rule. However, further notices of rulemaking on HIPAA updates are unlikely in 2022.

Proposed changes to HIPAA 

Back in 2018, OCR issued a request for feedback on aspects of HIPAA rules that blocked the provision of healthcare and areas where HIPAA updates could be made to improve care coordination and data sharing.

After review of the feedback, fast forward to 2020 and the proposed changes are as follows:

• Patients will be allowed to inspect their PHI in person and take notes or photographs of their PHI
• The maximum time to provide access to PHI will change from 30 days to 15 days
• Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR
• Individuals will be permitted to request their PHI be transferred to a personal health application
• Under certain circumstances, individuals should be provided with ePHI at no cost
• Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy
• HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures
• HIPAA-covered entities will be required to provide individualized estimates of the fees for providing individuals with copies of their own PHI
• A pathway will be created for individuals to direct the sharing of PHI maintained in an EHR among covered entities
• Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA right of access
• HIPAA-covered entities will be required to obtain written confirmation that a notice of privacy practices has been provided 
• Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
• Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual
• A minimum necessary standard exception will be added for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or healthcare operations
• The definition of healthcare operations has been broadened to cover care coordination and case management
• Permission will be expanded for the U.S. armed forces to use or disclose PHI to all uniformed services
• A definition will be added for EHR

Penalty structure for violations of HIPAA regulations in 2022

On top of the new proposed changes, OCR is expected to make the new penalty levels permanent with an NPRM, which may be published in 2022. In the meantime, the Notice of Enforcement Discretion remains in effect indefinitely. The HIPAA violation penalties are as follows: