2023 HIPAA Law Changes: Ensure Healthcare Compliance

We are seeing an exponential increase in telehealth facilities owing to the situational crisis precipitated by the recent global pandemic. With the emergence of new technologies in the healthcare industry, frequent modifications to laws and regulations governing medical information have become critical.

HIPAA is one of the critical regulations governing patient medical records or health plans and how medical information is stored and disseminated by medical institutions, insurance providers and other bodies that handle or process medical documents.

Given the increasing digitization of medical information and a cyber security landscape rife with the threats of data breaches, ransomware attacks and data leaks, there is an urgent need to protect citizens’ personal and health-related data.

HIPAA: The basic guidelines

The HIPAA (Health Insurance Portability and Accountability Act) federal law was signed on Aug 21, 1996, supersedes all state laws to safeguard medical information and serves the following purposes:

• To combat abuse, fraud and waste in health insurance and healthcare service delivery.
• To improve access to long-term healthcare services, coordinated care, and medical insurance.
• To provide continuous health insurance coverage for citizens who have lost or changed jobs.
• To eventually reduce the cost of healthcare services by regularizing the electronic transmission of all administrative and associated financial transactions.

HIPAA contains five sections or titles:

• Title I: HIPAA Health Insurance Reform
• Title II: HIPAA Administrative Simplification
• Title III: HIPAA Tax-Related Health Provisions
• Title IV: Application and Enforcement of Group Health Plan Requirements

Of these, Title II is what we mean when we refer to the HIPAA privacy rule or HIPAA right of access. It mandates national standards for processing electronic healthcare transactions and secure electronic access to health data compliant as per the Department of Health and Human Services (HHS).

The HHS Office for Civil Rights (OCR), which enforces HIPAA security rules, performs audits and can issue penalties for HIPAA noncompliance. As a result, HIPAA violations can prove quite costly for healthcare organizations.

Evolution of HIPAA: Last year’s HIPAA changes that affect how medical information is handled

HIPAA hasn’t actually seen any major changes since 2013. However, it receives occasional updates to help it evolve in coordination with the changing times. Technically, HIPAA hasn’t received any updates specifically for 2023. Rather, any forthcoming changes were proposed for 2022 they just haven’t yet taken effect yet.

The HIPAA changes 2022 brought us did two primary things: they helped make it easier for patients to access their information and ensured ePHI would be more secure.

Expanded access and eased restrictions on access and sharing of medical information were necessary for the last couple of years to allow patients to access medical help virtually during the COVID pandemic. But, at the same time, protecting patients from data leaks was essential.

With that in mind, let’s take a look at how HIPAA has evolved over the years.

• One of the significant changes to HIPAA was the Security Rule that introduced three safeguards (administrative, physical and technical) to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). Compliance with this changed law needed the implementation of mechanisms to ensure the end-to-end security of patient data and processes to prevent a data breach. As a result of this change, many institutions were investigated over data breaches and had to pay hefty fines. For example, In August 2016, Advocate Health Care Network was fined $5.55 million for the unauthorized disclosure of almost 4 million patient health care records due to theft of a portable electronic device.
• The 21st Century Cures Act (Cures Act), signed on Dec 13, 2016, empowers patients to access, exchange, and use their electronic health information however they wish. It was designed to increase choice and access both for patients and providers. It eases regulatory burdens related to electronic health records (EHR) and other health information technology (HIT) systems. Both HIPAA and the Cures Act guide how protected health information (PHI) is shared. While HIPAA seeks to prevent unauthorized access to PHI, the Cures Act encourages access and exchange to appropriate parties. Combined, they can help securely share information, especially when needed for care coordination and case management.
• The Coronavirus Aid, Relief, and Economic Security Act, or CARES Act, is one of the largest stimulus packages in US history to address the COVID-19 pandemic. Part 2 of the Cares Act requires federal programs to obtain a patient’s consent before disclosing their identifying information outside of the program, including before disclosing it to other health care providers. In addition, patients may request an accounting of disclosures and request restrictions on the use and disclosure of their information, as permitted by the HIPAA Rules.
• The Privacy Rule requires care providers to distribute a notice of privacy practices to their patients. This notice must outline the patients’ rights to privacy and how the care provider can use their personal information.
• The HIPAA Safe Harbor Law, signed in January 2021, is an amendment to the HITECH Act, which, in 2009, introduced stricter penalties for HIPAA violations. The amendment reduces the administrative burden on any Covered Entity for sharing medical data and for better healthcare coordination. In addition, it provides an opportunity for HHS to refrain from enforcing penalties in specific circumstances.
• More proposed changes to the HIPAA law are expected in late 2022 to reduce the administrative burden on healthcare providers, strengthen patients’ rights to access their own healthcare data, and improve data sharing between HIPAA-covered entities.

Some examples of expected 2022/2023 HIPAA changes:

Again, any 2023 changes to HIPAA are changes that have been delayed from the previous year. Because they come from the same group of proposed alterations, they’re all interrelated and intended to help solve similar issues. So, let’s take a look at what those proposed changes were.

• Allowing patients to inspect their PHI in person and take photographs of their medical records or take notes.
• Ensuring individuals are not faced with unreasonable measures when exercising their right of access i.e., a series of third-party forms, notarization requirements, and limiting channels for accepting requests.
• Specifying when ePHI must be provided free of charge, such as when individuals inspect their PHI in person or use an Internet-based patient portal.
• Requiring health care providers to respond to patients’ record requests within 15 days. However, if a clear and legitimate excuse is provided, they can extend their response another 15 days, making the maximum total response time 30 days.
• Healthcare providers and other HIPAA-covered organizations must post estimated fee schedules for records access on their websites.
• Limiting costs for electronic records requests to only cover labor, even if the digital copies are provided in a physical format (CDs, flash drives, etc.).

How do you ensure compliance with the 2023 HIPAA changes?

Because the laws deal directly with protecting personal information, HIPAA compliance should be a priority for any office responsible for handling medical records in any format.

Healthcare organizations must invest in robust systems and cloud infrastructure to access, share, and secure electronic health records.

Daida provides secure medical records scanning services to enable digitization in the healthcare sector.

Mercury, our industry-leading document management system, provides affordable cloud-based storage and promotes ease of access and remote collaboration while maintaining strict access controls.

Our advanced data capture technology can aggregate data from all structured and unstructured sources, including handwritten prescriptions, and large-format reports, into a central digital repository.

We have document scanning bureaus across the US for secure conversion of records. Our scanning facilities are SOC-2 certified, and we follow the highest standards of data security. For example, one of our newest scanning centers in Santa Ana, CA, offers records storage for healthcare service providers in an end-to-end HIPAA-compliant manner.

Our digital transformation solutions for healthcare institutions and service providers help them to maintain compliance with the latest regulations in the healthcare industry, including HIPAA, HITECH, the CURES Act and more.

Connect with Daida to digitize healthcare records securely and cost-effectively, and stay updated with the latest 2023 HIPAA changes to ensure healthcare compliance.