Understanding HIPAA Privacy Rule Changes

Understanding HIPAA Privacy Rule Changes

This article details the expected new HIPAA regulations in 2023-2024, which could have a significant impact on compliance for covered entities. The last major update was in 2013 with the HIPAA Omnibus Final Rule, and since then, most changes have been amendments to existing standards.

In this blog, we'll explore the details of these updated rules, highlighting the key changes, explaining what they mean for healthcare groups, and helping readers understand the increased requirements for following the rules.

What are the Proposed HIPAA Changes?

Based on the available information, there are several proposed changes to HIPAA regulations in 2023:

  1. The Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) concerning patients' reproductive health.
  2. In Jan 2021, HHS released a rule titled “Proposed Modifications to the HIPAA Privacy Rule to Support and Remove Barriers to Coordinated Care and Individual Engagement.” The final ruling on this was expected to be published in March 2023, so it is unclear when we plan to see the “Final Rule.”
  3. A proposed update has been made to align the Substance Use Disorder Patient Records regulations more closely with HIPAA.
  4. Every year, we expect to see cybersecurity updates and provisions.
  5. A higher penalty structure was implemented in 2023 to keep up with inflation.

Changes to Reproductive Health Privacy

On April 12, 2023, the Office for Civil Rights (OCR) at the U.S Department of Health & Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and strengthen reproductive healthcare privacy.

Namely, privacy concerning abortion.

This development is part of the HHS's efforts to support President Biden's executive orders issued after the Dobbs v. Jackson Women's Health Organization Supreme Court decision aimed at protecting access to reproductive care.

The proposed changes are meant to improve privacy protections. They aim to prevent entities regulated by the privacy rules from using or revealing protected health information (PHI) in the following cases:

  1. Legal investigations or proceedings (criminal, civil, or administrative) against any patient who sought, obtained, provided, or facilitated legal reproductive healthcare.
  2. Identifying any person in order to start such investigations or proceedings.

The proposed rule spells out specifically when and where these protections would apply. It also explains times when it's still okay to share protected health information - this is called 'disclosure.'

To help enforce these rules, entities that are regulated and receive requests for protected health information related to reproductive healthcare would need to get a signed statement. This signed statement would confirm that the information will not be used or released for reasons that are not allowed. This is especially necessary for health oversight activities, judicial and administrative proceedings, law enforcement, and when sharing information with coroners and medical examiners.

Still Pending the “Final Rule”

What was initially introduced in early 2021 and set to go into effect in March 2023, this rule seeks to modify the HIPAA Privacy Rule to:

  1. Strengthen individuals' rights to access their protected health information, including electronic information. For example, patients can now take pictures of their medical records using their phones to make it easier for them to get the information they need.For example, letting patients take snap shots on their phone of their medical records.
  2. Improve information sharing for care coordination and case management for individuals.
  3. Facilitate increased involvement from families and caregivers in the care of individuals experiencing emergencies or health crises.
  4. Address disclosures in emergency or threatening circumstances.
  5. Reduce administrative burdens on HIPAA-covered healthcare providers and health plans.

This prioritized, economically significant rule was listed in the Unified Agenda under the Final Rule Stage. Despite this, it will not significantly affect government levels, small entities, or federalism.

The rule acts under the legal authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Section 264, 42 U.S.C. 1320d-2 note) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (Section 13405, 42 U.S.C. 201 note).

Substance Abuse Update (42 CFR Part 2)

The rules that protect the privacy of patients seeking treatment for substance use disorders (SUD) are known as the Confidentiality of Substance Use Disorder Patient Records regulations, or 42 CFR Part 2. There is currently a proposal to make these rules more compatible with HIPAA.

The aim of these changes is to ensure that all health data, including information about substance use treatments, have similar levels of protection. By making these rules more in sync with each other, it would be easier for healthcare providers to share necessary information while still keeping patients' privacy in mind. This would help coordinate and improve patient care.

Aligning 42 CFR Part 2 with HIPAA also means cutting down on the complexity and making things more efficient. By having similar rules for all health information, healthcare providers can avoid confusion and promote cooperation between different health systems.

These changes are expected to be finalized soon, but they may still undergo adjustments in order to strike a balance between strong privacy protections for SUD patients and better healthcare coordination.

Cybersecurity Safe Harbor Provision

The Cybersecurity Safe Harbor Provision is a significant alteration to the HIPAA Privacy Rule introduced under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Essentially, this provision offers some protection for healthcare organizations that fall victim to data breaches despite having robust cybersecurity measures in place.

This provision recognizes the reality that no security system is impervious, and even entities with stringent safety measures may fall victim to sophisticated cyber attacks.

How it Affects Financial Penalties for Data Breaches

Traditionally, healthcare organizations would face substantial fines if they experienced data breaches that exposed protected health information (PHI). The financial penalties are dependent on factors like the extent of the breach, the number of individuals affected, and the perceived level of organizational negligence.

Under the Cybersecurity Safe Harbor Provision, these penalties can potentially be reduced. If the organization can demonstrate that it was in full compliance with recognized cybersecurity practices for a designated period preceding the breach, the Secretary of Health and Human Services may decrease the fines incurred. This less punitive approach allows investigators to consider the efforts put forth by the organization to maintain high cybersecurity standards.

Encouragement for Adopting Advanced Security Measures

The introduction of this provision is meant to encourage healthcare organizations to adopt advanced security measures proactively. Recognizing the efforts and investments made by entities that rigorously enforce cybersecurity safeguards minimizes the disincentive for organizations to improve their security posture.

With the reassurance that good-faith security efforts will be recognized, healthcare organizations have a renewed incentive to invest in and update their cybersecurity practices continually. They can do so in confidence, knowing that if a data breach were to occur, their adherence to strongly enforced cybersecurity practices would be taken into consideration, potentially affording them mitigation of financial penalties.

Higher Penalty Fines

As is to be expected, the fines for HIPAA violations increased to keep up with inflation. The amounts are as follows:




Minimum per Violation

Maximum per Violation

Annual Cap

Tier 1

Lack of Knowledge




Tier 2

Reasonable Cause




Tier 3

Willful Neglect




Tier 4

Willful neglect, not corrected within 30 days




Published in the Federal Register on October 6, 2023


In conclusion, the forthcoming HIPAA regulation amendments for 2023-2024 are significant and carry critical implications for all entities covered under HIPAA. Proactively understanding and implementing these changes, including the strengthening of reproductive health privacy, embracing the 'Final Rule' adjustments, aligning Substance Use Disorder Patient Records with HIPAA, and accommodating Cybersecurity Safe Harbor Provisions, can make for a smoother transition.

Plus, with the adjusted penalty structure, adherence to these evolving regulations couldn't be more vital. Whether you're a healthcare provider or part of the ancillary healthcare system, staying informed about these updates ensures better compliance and, most importantly, safeguards patient data with utmost care. As we look forward to concrete rulings in the future, we must commit to the importance of our evolving roles in protecting patient privacy in healthcare.

Expand your understanding of HIPAA requirements tailored for Business Associates with our comprehensive online training course. Don't miss the chance to earn a certificate of completion, enhancing your reputation for safeguarding protected health information!

You can also start updating your HIPAA knowledge today with our HIPAA for Healthcare Workers online course. Head to our website to get started today!