HIPAA Privacy Rule Changes Coming in 2023: Five Steps to Prepare

Kimberly J. Kannensohn Holly Buckley Colin P. McCarthy William Clayton Landa

In 2023, the Department of Health and Human Services (HHS) is expected to finalize proposed modifications to its regulations under the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA). If HHS finalizes its proposed modifications as written, covered entities and business associates will need to make significant revisions to their HIPAA privacy compliance policies and other documents within 180 days of HHS’ final rulemaking.

Covered entities and business associates should take steps now to plan and prepare for the first significant HIPAA privacy changes in over a decade.

Background

In January 2021, HHS released a Proposed Rule entitled “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement” (the Proposed Rule). According to a regulatory agenda published by the Office of Management and Budget (OMB), HHS expected to issue final rulemaking in March 2023 (the Final Rule), but that date has passed, meaning the Final Rule could be published at any time.

If HHS finalizes the Proposed Rule as written, HIPAA-covered entities — including hospitals, physicians and other healthcare providers, health plans, and healthcare clearinghouses — and business associates must update their privacy policies and procedures, security standards, notices of privacy practices (NPP), authorization and disclosure forms, and business associate agreements, among other documents, to reflect the modifications required by the rulemaking. For a detailed summary of the Proposed Rule’s key changes, see this prior McGuireWoods alert.

The Final Rule will be effective 60 days after publication, and covered entities and business associates then will have 180 days to comply with the new or modified standards and implementation specifications.

Five Steps to Take Today to Prepare

  1. Review and plan to amend HIPAA privacy policies. Covered entities and business associates should review their HIPAA privacy policies and designate the individual(s) — the privacy officer and others in charge of HIPAA implementation — who will be responsible for making any necessary changes to policies, procedures, NPPs, forms and other documents implicated by the Final Rule when it is published.
  2. Prepare for changes to NPPs. In the Proposed Rule, HHS proposed to modify the content of NPPs, including a revised NPP header that includes information on how individuals can access their health information, file a HIPAA complaint and contact a designated individual to ask questions. The Proposed Rule also would eliminate the requirement that a covered entity obtain an individual’s signature or acknowledgment of receipt of the NPP. Covered entities should consider how they will implement these changes, particularly if they work with third-party patient intake software vendors to provide NPPs to patients electronically.
  3. Consider how to implement expanded rights of access to PHI. If finalized as proposed, the Final Rule would strengthen individuals’ rights to access their own PHI by expanding how individuals can retrieve their PHI and reducing (from 30 days to 15 days) the time allotted to covered entities to respond to individuals’ requests for their PHI. Covered entities should consider what process changes will need to occur to provide faster access to individuals and should review agreements with business associates, including electronic medical record vendors, off-site storage facilities and other vendors to determine if amendments are required.
  4. Plan for changes to how individuals are charged for access to PHI. In the Proposed Rule, HHS proposed to clarify when protected health information (PHI) must be provided to individuals at no charge and amend the fees charged when a covered entity responds to an individual’s request to direct records to third parties. The Proposed Rule also would require covered entities to post fee schedules on their websites and, upon request, provide individualized fee estimates and itemized bills in response to individuals’ requests for copies of their PHI. Covered entities should begin planning for how they will charge fees, and whether any agreements with electronic medical record vendors, off-site storage facilities or other vendors will require amendments. State laws also must be considered in establishing applicable fee schedules.
  5. Designate an individual responsible for monitoring developments. HHS may publish the Final Rule at any time. Covered entities and business associates should designate an individual (typically the privacy officer) to check OMB’s regulatory agenda periodically to determine if the Final Rule has been published. The individual also can subscribe to regulatory updates from HHS, which will provide an email alert when the Final Rule is published.