As healthcare providers enter 2023, it’s more important than ever to keep a pulse on the landscape of healthcare regulations, particularly those regarding patient privacy and security. The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, continues to change to adapt to new technologies, healthcare practices, and patient needs. In this blog post, we’ll explore some of the changes healthcare providers can expect to see from HIPAA regulations in 2023.
Increased Penalties for Non-Compliance
One of the most significant changes that healthcare providers can expect in 2023 is an increase in the penalties for non-compliance with HIPAA regulations. The Office for Civil Rights (OCR), which enforces HIPAA’s national standards, has indicated that it will increase its focus on enforcing the regulations and will be more aggressive in imposing penalties on organizations that fail to comply.
The exact details of the new penalties are not yet announced, but it’s crucial for healthcare providers to take note of this change, prevent unauthorized access, and take steps to ensure that they comply with HIPAA regulations. Currently, penalties for non-compliance can be $100 to $50,000 per violation (or per record), with a maximum fine of $1.5 million per year for violations of an identical provision.
New penalties will be adjusted for inflation in 2023 and likely impose additional costs for organizations that do not comply. Additionally, covered entities must adopt corrective action plans to ensure policies and procedures are up to standard.
Expansion of Patient Rights
Another change healthcare providers can expect to see in 2023 is an expansion of patient rights to data privacy under HIPAA. The OCR has proposed several changes to the regulations that would give patients more control over their health information.
For example, patients would have the right to access their health information in a timely and electronic manner and have the right to direct that their information be shared with designated third parties. Healthcare providers will need to be aware of these critical changes and ensure that their policies and procedures comply:
- Reduction in the maximum time to provide access to PHI to a patient from 30 days to 15 days
- Stating when covered entities should provide individuals with ePHI without charge
- Requiring covered entities to inform individuals of their right to obtain or direct copies of their PHI to third parties when a summary of PHI is offered instead of a copy.
Increased Emphasis on Cybersecurity
In recent years, healthcare providers have been increasingly targeted by cybercriminals looking to steal sensitive patient information. In response to this threat, HIPAA regulations will likely place a greater emphasis on cybersecurity in 2023. Healthcare providers will need to take steps to ensure that they have adequate security measures in place to protect patient information from cyberattacks and data breaches. These include:
- Conducting annual risk analysis to keep information secure
- Strengthening workforce cybersecurity awareness training
- Enforcing patient right of access rules
- Prioritizing resources for IT staff
- Reviewing existing business associate agreements (BAAs) or subcontractor BAAs
Updates to the Privacy Rule
The HIPAA Privacy Rule was last updated in 2013, and the OCR has indicated that it plans to update the rule again in 2023. The exact changes to the Privacy Rule have not yet been announced, but the updates will likely reflect changes in technology and healthcare practices since the last update. Healthcare providers must be prepared to update their policies and procedures to reflect any changes to the Privacy Rule. Expected changes include:
- Precise definitions of a patient’s right to data access, as well as a covered entity’s responsibility to respond to requests
- Allowing patients to inspect their PHI in person and document their PHI through notes or photographs
- Identity verification procedures for parties requesting access to PHI
- The expanded ability for covered entities to avert threats or health to safety when harm is “seriously and reasonably forseeable,” as opposed to “serious and imminent.”
Updates to Permissive Use of PHI
HIPAA’s Privacy Rule previously allowed covered entities to make specific uses or disclosures of PHI according to their “professional judgment.” In 2023, HIPAA’s new standard will permit specific uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of an individual.
This is good news for using PHI in research and development, as good-faith disclosures can lead to advancing medical treatments and technologies to cure complex diseases. However, evidence of bad faith disclosures will still prove non-compliance with HIPAA regulations.
In conclusion, healthcare providers can expect several changes to HIPAA regulations in 2023. These changes will likely focus on increasing penalties for non-compliance, expanding patient rights, emphasizing cybersecurity, and updating the Privacy Rule. Healthcare providers will need to stay informed of these changes and take steps to ensure that they comply with the regulations to avoid penalties and protect patient privacy and security.
At TripleBlind, we understand the struggles of maintaining HIPAA compliance in an evolving digital environment. We’ve built the TripleBlind Privacy Suite to solve real-world healthcare data challenges and enable fast, secure access to diverse patient data. Our HIPAA-tested and compliant products accelerate research and development, catalyze collaborative healthcare, and unilaterally protect sensitive information.
Join us in delivering tomorrow’s healthcare solutions using today’s automated data deidentification technology. Receive your copy of our Healthcare Whitepaper to learn how.