A Guide to New and Proposed HIPAA Regulations: What to Expect

A Guide to New and Proposed HIPAA Regulations: What to Expect

It's been several years since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was last updated, with the most recent changes being those pertaining to the Omnibus Rule in 2013. This revision saw the introduction of new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

But since then, various issues have arisen alongside changes in working practices and the advancement of technology. Now, we are at a point when steps must be taken to update HIPAA regulations so these issues can be addressed more effectively

What Are the New and Proposed Changes to HIPAA Regulations?

The Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking in December 2020 outlining new and proposed changes to the HIPAA regulations, which include:

1. Aligning 42 CFR Part 2 regulations with HIPAA

The Coronavirus Aid, Relief, and Economic Security (CARES) Act was passed on March 27, 2020 as a response to the economic fallout caused by the pandemic. It also guaranteed every American access to the medical care they needed, including people suffering from substance abuse disorder (SUD).

But to enforce this, some changes had to be made to 42 CFR Part 2 regulations, including allowing healthcare providers to share the medical records of people with SUD. The changes instigated by the CARES Act have therefore aligned 42 CFR Part 2 regulations more closely with HIPAA. 

Instead of healthcare providers having to obtain consent for every disclosure and use of personal information, a patient with SUD can now provide broad consent for their medical records to be shared for payment, treatment, and other healthcare operations. However, the manner in which this information is disclosed and used must be in accordance with HIPAA regulations.

In addition, HIPAA breach notification requirements will also apply to patients with SUD. This means that in the event of a data breach, healthcare providers must immediately notify affected patients no later than 60 days from the discovery of the breach.

2. Updating the Privacy Rule

Some of the changes to the HIPAA Privacy Rule proposed by the OCR include:

  • Allowing patients to review their protected health information (PHI) in person and take pictures and notes of their PHI
  • Shortening the covered entities' required response times from 30 to 15 days
  • Using only the electronic protected health information (ePHI) stored in an electronic health record (EHR) to accommodate all requests of moving ePHI to a third party
  • Letting patients move their PHI to a personal health application
  • Requiring covered entities to inform patients of the latter’s rights to acquire or direct copies of their PHI to third parties if a summary of PHI is provided in lieu of a copy
  • Posting estimated fee schedules on the healthcare provider’s site for access and disclosure of PHI with the patient’s consent
  • Requiring healthcare professionals and health plans to respond to specific records requests coming from other covered entities, as instructed by a patient under the HIPAA right of access

3. Increasing penalties for HIPAA violations

In 2019, the HITECH Act proposed an increase in penalties for healthcare providers violating HIPAA regulations. The Department of Health and Human Services (HHS) initially interpreted this proposal as imposing a $15 million cap for violations across the four penalty tiers. But after some reevaluation, the proposal now sets various maximum fines for each of the four tiers. The infographic below reflects the new changes.

4. Changes to HIPAA regulations due to COVID-19

During emergency situations like a pandemic, HIPAA regulations stay in effect and the requirements for the Privacy, Security, and Breach Notifications Rules remain as is. However, compliance enforcement can be eased.

The OCR issued three Notices of Enforcement Discretion in 2020 and one in 2021 waiving certain sanctions and penalties for HIPAA violations while under a nationwide public health emergency. These notices are:

  • Good faith telehealth remote communications during the COVID-19 nationwide public health emergency

This notice waives the potential penalties against healthcare organizations that provide telehealth services through everyday communications tools that would not normally be considered fully HIPAA compliant. Covered entities can use Zoom, Skype, and Google Hangouts to provide virtual care to their patients. However, public-facing apps like Facebook Live and TikTok are still not allowed.

  • Good faith uses and disclosures of PHI by business associates for public health and health oversight activities

Normally, HIPAA prohibits business associates from using PHI for public health and health oversight activities unless stated in a business associate agreement. But with this notice, business associates are protected from penalties for such uses and disclosure of PHI, provided that they inform the healthcare organization they work with within 10 days after the use or disclosure.

  • Participation in the operation of community-based testing sites during the pandemic

Healthcare providers and business associates operating or participating in the operation of COVID testing sites (e.g., walk-up, drive-through, and mobile sites) will not be subjected to penalties for noncompliance. However, the OCR still encourages covered entities to implement safeguards to keep PHI secure.

  • Notice of enforcement discretion regarding web-based or online applications for COVID-19 vaccination

Generally, the OCR discourages the use of web-based scheduling applications (WBSAs) because they may not be fully compliant with HIPAA regulations. For instance, they may lack a business associate agreement, which is necessary before a specific application can be used by covered entities.

This notice stipulates that healthcare organizations and their business associates will not face HIPAA sanctions and penalties for using such applications. The OCR, however, encourages implementing security measures like encryption to ensure the confidentiality and privacy of PHI while using WBSAs.

How Will the New HIPAA Regulations Be Introduced?

The HHS can modify HIPAA regulations that are no longer viable because of new technology and practices or those that are proving to be problematic.

To do so, the HHS first considers comments and suggestions from healthcare providers before submitting a notice of proposed rulemaking. This is followed by a 60-day comment period in which covered entities and stakeholders provide their feedback. Only after careful consideration will a final version of a rule be issued. Healthcare institutions are then given time to make the necessary adjustments to their security policies before the new rule is released and becomes mandatory.


To ensure your organization complies with HIPAA standards, partner with a reliable managed IT services provider like Charles IT. Our compliance assessment will pinpoint compliance risks in your infrastructure and provide you with options on how to address them. Call us today to learn more.