Alleged HIPAA Updates: What to Expect in 2022?

Alleged HIPAA Updates? Okay. 

Let’s think of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in retrospect. What changes in HIPAA legislation do you remember since 2020? What circumstances caused these changes? Of course, the first thing that comes to mind might be the COVID-19 pandemic and upcoming vaccination. But changes affected the healthcare sphere and the government of the USA. The Office of the President delegated responsibility to the forthcoming one. And there’s no doubt that all these factors evoked changes in the law.

But it’s always necessary to know for covered entities (CEs) and business associated (BAs) what to expect soon. So come on, diving into this topic step by step!

The Background of the Alleged HIPAA Updates

As mentioned before, many background events and circumstances affected changes in HIPAA regulations in 2022. Of course, the things of immense significance, such as the pandemic and the USA presidential election, impacted the law significantly. But what about other important factors that played a massive role in the legislation alterations? Let’s look at them in detail!


The Department of Health and Human Services started to consider the alterations seriously in the HIPAA Privacy Rule at end-year. The initial purpose was to make it more patient-oriented to include all the interests. So, suggestions from the HHS side were assessed. Also, in 2020 the latest Information Blocking Rule entered into force. The rule aimed to avoid the blockage of information from the side of care providers, tech firms, and stock markets. Additionally, HHS decided to make the HIPAA Right of Access operational.


The events in 2021 undoubtedly impacted the activity of the Department of Health and Human Services (HHS) a lot. Along with the new Office of the President’s cadenza and the earliest vaccines against COVID-19, e-health also gained considerable popularity. This method of treatment was the only way during quarantine. So, in the end, the HHS Office for Civil Rights (OCR) appointed a new director, extended the application of the rights related to the coronavirus, and published recommendations related to the coronavirus vaccines, HIPAA, and working places. However, alterations of the Privacy Rule aiming to make a difference for patients still didn’t move forward. 

Alleged HIPAA Updates in 2022

Alleged HIPAA Updates

After considering the background events, which make us think about the possible changes in the law, let’s see the alleged HIPAA updates in 2022. Experts suppose new HIPAA regulations to come into force after the OCR’s final decision to alter the HIPAA Privacy Rule. Although interested parties called upon the other few upgrades in the legislation, other new HIPAA regulations are unlikely to occur. Considering the number of updates in HIPAA due to the Privacy Rule modification and their effect on the covered entities (CEs), other announcements of prospective rules establishment are doubtful this year. 

Expectations of the Final Privacy Rule

Four years ago, the Office for Civil Rights (OCR) published RFI, requesting CEs to share feedback on their experience while implementing HIPAA requirements. It aimed to evaluate the troublesomeness of compliance, as it often interferes with immediate treatment. Also, OCR asked covered entities (CEs) in its request to share their thought on areas where it’s necessary to update HIPAA. The purpose is to help CEs coordinate aid and exchange information properly.

Thus, proposed alterations include relaxing restrictions on protected health information (PHI) disclosure and enhancing patients’ rights to access their PHI. But actually, one suggestion gained a lot of critics. It concerned the mandatory access to ePHI sharing with other providers. American Hospital Association (AHA) and the American Medical Association (AMA) expressed their exhilaration regarding this suggestion. Also, they are worried about the proposal concerning the shortening of the response time to patients when they request copies of their health records.

Also, the Department of Health and Human Services (HHS) illustrated these suggestions with a situation where it has received a lot of claims from covered entities’ patients. In patients ‘ opinion, these claims concerned HIPAA requirements that restricted them from getting appropriate treatment. They also stated that changes are vital to overcoming the opioid crisis in the country. Suggestions for HIPAA alterations also aim to reduce the administrative overload of CEs.

What are the Main Changes Suggested to the HIPAA Privacy Rule?

Here you can find five leading suggestions for the HIPAA Privacy Rule announced by Office for Civil Rights (OCR):

  1. Allow patients to look at their protected health information (PHI) individually and take photos and notes. 
  2. Change the maximal time of providing access to PHI from 30 to 15 days.
  3. Permit patients’ requests to transmit their PHI to the personal healthcare app.
  4. Specify when patients can require their ePHI for free. 
  5. Covered entities should publish individual pricelists for PHI access and disclosure on their websites.

You can look through other HIPAA Privacy Rule alterations proposals in this HHS-approved document for more information.

Possible Issues in Compliance with Alleged HIPAA Updates

Of course, all these proposals for the legislation sound straightforward and optimistic, especially for patients, as they gain a lot of benefits. But it is not so simple for covered entities (CEs) as they have to change a lot in their policies to comply with new rules.

Let’s take a proposal to allow patients to look at their PHI and take photos and notes of it as an example. It is probably going to create a range of problems. For instance, covered entities (CEs) must develop strategies and procedures to prevent patients from snooping into other individuals’ records. Also, under the rule, it is necessary to create a safe space so that patients can look through their PHI securely. It can be online and with special supervision from the individual who looks through the PHI.

And it is a drop in the bucket, as there are a considerable amount of suggestions that pull the range of issues. CEs will need time to implement all changes, update strategies and procedures and educate employees properly. Covered entities (CEs) should undertake all measures immediately after the final rule publication to comply with new HIPAA requirements.

Other Predictions about the Alleged HIPAA Updates

Modifications in HR 7898 Legislation

At the beginning of the previous year, the HR 7898 law entered into force. It is also called the best cybersecurity law deemed by HIPAA. This legislation modifies the HITECH Act to require HHS to consider whether CEs and BAs keep up with security requirements while making final decisions. These decisions might be taking coercive measures, selecting an audit organization, or imposing financial fines. If the covered entity (CE) is entirely compliant, HHS can reduce the amount of penalty or duration of an audit.

Later, the recommendations on security methods alignment in the healthcare field were published. This publication includes the main document, two technical volumes, sources, and templates for large and small care businesses. The core element of these guidelines is ten best practices for bettering cybersecurity. They apply to the fields such as:

  • Access Control
  • Assets Management
  • Cybersecurity Strategies
  • Data Security and Damage Prevention
  • Health Tools Safety, etc.

So, there is a chance that the final rules will include these recommendations.

About “Safe Harbor” Legislation

As a result of the HR 7898 law introduction, some states in the USA decided to enforce their legislation regarding safe harbor. For example, the UT state signed a law about cybersecurity affirmative defense last year. This legislation refers to organizations that keep up with written cyber defense policies but still suffer from security violations. You can take a look at the safeguards that Utah recognizes here

But UT is not the only state that enforced such legislation. For example, Connecticut also accepted similar cybersecurity policies. So, it seems that the tendency might continue in 2022, complementing alleged HIPAA updates.

Making Cannabis Dispensaries Compliant

Last year, the IL Department of Financial and Professional Regulation stated that cannabis dispensaries in Illinois must protect information about patients according to the HIPAA Privacy and Security Rules. This institution is the chief controller of the cannabis-related process in IL. So, to be compliant with HIPAA, cannabis dispensaries must conduct complex risk assessment analyses and educate the workforce at least once per year, manage risks, and implement updates of strategies and procedures each year to keep PHI safe. 

Thus, other states may follow the example of IL and implement the exact requirements for the cannabis dispensaries’ HIPAA compliance.

Implementing the HIPAA Right of Access

Only in 2022, OCR has already handled more than ten matters HIPAA matters regarding the right of access. The Office has concluded the conciliation agreement with eleven suppliers and imposed the financial fine on the inaccessible last provider. This agreement consists of a fiscal payment and corrective actions plan. So it is evident that the Office for Civil Rights (OCR) will do its best to carry out the right of access, and nothing will interrupt this process.


Alleged HIPAA Updates

There are a lot of rumors about alleged HIPAA updates in 2022. And it’s not in vain, as it was precedent by many decisive factors, such as pandemics, the growing popularity of e-health, change of power, etc. Also, some things stretch from recent years, such as the right of access. 

As you can see, if all these predictions come into force, it seems to be a busy year for both covered entities (CEs) and legislative institutions. The major prophecy concerns the modifications of the HIPAA Privacy Rule and the right of access. However, it also can pull behind the difficulties in realization, as many suggestions for legislation require substantial changes in the policies and procedures of CEs. So, they will need some time to adjust to new requirements to be HIPAA compliant. 
So, if you don’t want to skip the latest updates in the HIPAA field, check our news portal and blog to always stay on top!

We will be happy to hear your thoughts

Leave a reply
Register New Account
Reset Password
Compare items
  • Total (0)