The world has not seen any HIPAA regulations update since 2019. Changing HIPAA regulations is a very slow process and needs several essential steps. Firstly, the Department of Health and Human Services seeks feedback on problematic aspects and considers them. The technologies and practices are developing and some regulations become no longer important. Then the HHS then submits a notice of proposed rulemaking within a comment period. Secondly, HIPAA-covered entities are given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes become enforceable. However, there is no date provided on when the 2022 HIPAA changes will take effect and become enforceable.
The Federal Register with the announcement of HIPAA Privacy Rule changing was published on January 21, 2021. The proposed HIPAA Privacy Rule changes are far-reaching and affect almost everyone that interacts with the health care system. The healthcare industry experts invented stakeholders to submit comments on the 357-page proposal, with the deadline for submitting comments set as May 6, 2021. OCR has yet to provide a date for when they will issue the Final Rule, but it is likely to result in HIPAA changes in 2022. Although, they may not become enforceable this year.
New HIPAA Regulations in 2022
Whilst there have been calls from industry stakeholders to make several other HIPAA updates in 2022. There are unlikely to be any other new HIPAA laws in 2022. HHS Deputy Secretary Eric Hargan had previously informed that some provisions of the HIPAA Privacy Rule were stopping patients and their families from getting the help they need. He was sure that changes were necessary to help with the fight against the current opioid crisis in the United States. There was also an offer to reduce the administrative burden on HIPAA-covered entities.
Therefore, the OCR will publish the final rule on the proposed changes to the HIPAA Privacy Rule soon. We expect the following HIPAA regulations update in 2022:
- Dropping of the requirement for HIPAA-covered entities to obtain written confirmation in accordance with a Notice of Privacy;
- Allowing covered entities to disclose PHI for safety when harm is “seriously and reasonably foreseeable”;
- Permission of covered entities to make certain uses and disclosures of PHI based on their good faith belief;
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI;
- Changing the maximum time to provide access to PHI from 30 days to 15 days;
- Limits for requests of individuals to transfer ePHI to a third party;
- Permission for individuals to request their PHI for transferring it to a personal health application;
- New definition of healthcare operations to cover care coordination and case management;
- The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded;
- Requirement of HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures;
- Requirement of HIPAA-covered entities to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
The COVID-19 Pandemic Added Some Changes
The COVID-19 pandemic has not influenced permanent HIPAA regulations update a lot. Nevertheless, it has seen unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates on the front line in the fight against COVID-19.
During emergencies such as disease outbreaks, HIPAA Rules remain in effect and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased. OCR has announced three Notices of Enforcement Discretion in 2020 and one in 2021 in response to the COVID-19 pandemic. There are penalties and sanctions for several HIPAA violations waived for the duration of the COVID-19 nationwide public health emergency.
Moreover, healthcare providers and health plans will have to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access. There is also a requirement for covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when they have a summary of PHI instead of a copy.
