2024 HIPAA Predictions and Emerging Compliance Trends
In healthcare, some things are predictable while others are not. We spoke with top regulatory attorneys, analyzed OCR fines over the last year, and diligently reviewed the HHS site to make predictions about what’s to come for healthcare compliance in 2024. There are a handful of emerging compliance trends for 2024 that are evident.
2024 HIPAA Predictions: Enforcement Trends & HIPAA Changes
At the end of 2022, Compliancy Group predicted that, with the COVID-19 crisis at last in the rear-view mirror, HHS would return to “normal” – would spend the bulk of its time and resources on traditional enforcement priorities. Traditional enforcement priorities for HHS’ Office of Civil Rights, would include enforcement of the HIPAA Privacy Rule right of access and enforcement of the HIPAA Security Rule.
The prediction has come true.
In 2023, OCR continued to enforce compliance with the HIPAA Privacy Rule right of access rule. OCR also continued to enforce compliance with the HIPAA Security Rule. These 13 enforcement efforts, through which OCR raked in $4.2 million in settlement money, included the first ransomware breach settlement agreement and the first phishing breach settlement agreement.
So, what are our 2024 HIPAA predictions?
1. Right of access enforcement will continue to be a top priority
OCR began its “Right of Access Initiative” – its crackdown on providers who do not timely respond to patient requests for access to their PHI – in late 2019. To date, OCR has brought 46 “right of access” enforcement actions, which have resulted in monetary settlements or penalties, and corrective action plans.
The initiative was announced in the waning days of the Trump administration, and both that administration and the Biden administration have prioritized enforcement. It can be expected that OCR will continue to investigate “right of access” complaints, and, if it believes there has been a violation of the right of access provision, it will continue to enforce the right of access rule. There have been roughly 12 enforcement actions per year. Healthcare providers of all types and sizes have been, and will likely remain to be, the subject of these actions.
2. The HIPAA right of access standard will give patients more rights
In 2024, it is likely that HHS will amend the HIPAA right of access to give patients more rights. Proposed changes include:
3. HIPAA Privacy Rule protections will be strengthened
On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion. It is possible that HHS will issue a final rule in 2024. If a final rule is issued, reproductive healthcare providers will have to, by updating their policies and procedures and training staff on the new requirements, ensure that their use or disclosure of PHI does not violate the new law’s provisions.
Recommended by LinkedIn
4. 42 CFR Part 2 will be amended to facilitate care coordination
In late 2022, HHS issued a proposed rule that would bring 42 CFR Part 2 (the law governing use and disclosure of certain substance use and disorder records) into closer alignment with HIPAA to permit greater coordination of care between Part 2 providers and primary care physicians and other specialists. Issuance of a final rule in 2024 is a distinct possibility.
5. Rules for the proper use and disclosure of PHI will be changed
There have been several other proposed changes that have been up in the air for quite some time, but 2024 may see these HIPAA changes go into effect.
Some proposed HIPAA changes in 2024 include:
6. OCR will enforce use of tracking technologies without patient consent
We have already seen New York take action to enforce the December 2022 guidance on tracking technologies. Under this guidance, covered entities may not use tracking technologies (like the Meta/Facebook pixel feature) in a way that would result in a prohibited disclosure of PHI to third-party analytics and social media companies. According to the guidance, patient authorization is required for these disclosures. HHS has not withdrawn this guidance, even in the face of a lawsuit filed by the American Hospital Association alleging that HHS does not have the authority to impose the guidance. It is fair to expect that OCR will bring enforcement actions against providers who use tracking technologies to share PHI with third-party analytics and social media companies without patient consent.
7. HHS will release a cybersecurity framework
In December 2023, HHS published a Concept Paper titled “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services.” The concept paper outlines a proposed HHS cybersecurity framework to improve cyber resiliency and to improve protection of patient data. The framework calls for incentivizing healthcare providers to help them reach cybersecurity performance goals. The framework also calls for new cybersecurity regulations to be added to the HIPAA Security Rule. The incentive for compliance? HIPAA-covered entities, through their compliance, will avoid civil monetary penalties. More palatably, HHS envisions the creation of an incentives program (as in, $$$$$) to encourage all hospitals to invest in advanced cybersecurity practices.
Keeping Up with 2024 HIPAA Changes
With so many potential HIPAA changes on the horizon for 2024, ensuring compliance with the regulations can be difficult. Compliancy Group’s comprehensive healthcare compliance software keeps users up to date on regulatory changes, automatically assigning new policies and training as applicable. Make tracking and managing your compliance easy with our software!
Want to learn more about HIPAA compliance? Sign up for our upcoming webinar here!