secure mso revenue cycle management medical billing services

Latest Reforms In HIPAA Regulations: Staying Ahead Of Updates

Latest Reforms In HIPAA Regulations: Staying Ahead Of Updates


Healthcare regulations’ dynamic nature necessitates continuous awareness of covered entities. Significant changes are expected in 2023 due to HIPAA updates related to data privacy and access. Throughout history, HIPAA regulations have evolved, as seen in our article, which explores forthcoming changes and how the industry is adapting to align SUD and mental health information with HIPAA regulations. Together, we will investigate the effects of the latest HIPAA standards on healthcare providers and patients.

Anticipated HIPAA Changes in 2023

Frequent revisions to HIPAA regulations and related laws necessitate continuous attention from Covered Entities. Scheduled for publication at an unspecified date in 2023, the Federal Register will present the next major update.

The article can be used to help you understand the HIPAA requirements and verify compliance through our checklist.

Historical Perspective: The Evolution of HIPAA Regulations

This section provides a historical perspective on the evolution of HIPAA regulations and highlights the anticipation of significant changes in 2023:

Historical Overview

The HIPAA Omnibus Final Rule’s 2013 revision was mainly driven by the HITECH Act’s influence. Alignment with other laws, Executive Orders, and medical billing codes was the main focus of subsequent changes.

Upcoming Major Update

HIPAA Regulations modifications were proposed by OCR through the issuance of an NPRM in December 2020. Despite an uncertain release date, the Final Rule is forecasted to hit shelves in 2023.

Focus on Substance Use Disorder (SUD) and Mental Health Records

HIPAA regulations have faced renewed attention regarding their application to SUD and mental health data. Understood as having its own set of discrete confidentiality standards, SUD records are differentiated from other healthcare data by 42 CFR Part 2.

Alignment Efforts

To provide equal privacy protection, a closer collaboration between Part 2 laws and HIPAA is required. Greater accessibility to patient information can be achieved through aligning these rules.

Progress and Changes

Through the CARES Act in 2020, progress was made toward aligning Part 2 with HIPAA regulations. Aiming at better coordinating patient care by aligning regulatory requirements for Part Two and HIPAA, the Act enforced closer synchronization. This was detailed further within a notice of proposed rule creation in the year 2022.

Rule making applies to the new HIPAA and Part 2

The CARES Act aimed to provide comprehensive healthcare access and tackle economic difficulties during the COVID-19 pandemic. This act came into effect in March 2020. For people suffering from substance use disorder (SUD) to get the needed treatment, Part 2 regulations underwent necessary updates. Influenced by the Legacy Act that Senators Capito and Manchin introduced were these updates. Below we will discuss key changes to Part 2 regulations including:

  • Broad Consent: For treatment, payment, and healthcare operations similar to HIPAA, patients can share their SUD records by giving broad consent. Any time is suitable to withdraw consent in writing.
  • De-Identification: With public health authorities, SUD information can be shared if it’s de-identified in line with HIPAA Regulations.
  • Patient Protections: While there are limitations on the use of SUD records during investigations and proceedings, discrimination against patients with Substance Use Disorder is also prohibited.
  • New Patient Rights: The introduction includes both the right to an accounting of SUD record disclosures as well as the right to request restrictions on disclosure for treatment, payment and health care operations.
  • Complaint Process: A process for receiving and resolving patient complaints must be established by Part 2 programs; they also need to prohibit negative reactions towards those who make complaints.
  • Enforcement and Penalties: Civil and criminal penalties similar to HIPAA are applicable for disclosing it to the HHS Secretary for enforcement. With HIPAA, confidentiality notices and breach notification requirements are aligned.
  • HIPAA Update: An update to HIPAA has called for covered entities that receive or keep up with Part 2 records to incorporate limitations on the re-disclosure of these same files during legal events, following the rules set by Part two guidelines.

How are New HIPAA Regulations Introduced?

In this part, we will explore how are New HIPAA Regulations introduced.

  • Request for Information (RFI): Feedback is sought by HHS on problematic HIPAA regulations and areas made less pertinent through technology modification and practices. Stakeholders provide comments and feedback.
  • Notice of Proposed Rule making (NPRM): The proposed rule from HHS comes following an input of RFI feedback. A comment period is initiated, when stakeholders provide input.
  • Comments and Feedback Review: We consider comments from stakeholders before we finalize the rule.
  • Final Rule: The updated HIPAA regulations are outlined in the Final Rule issued by HHS.
  • Grace Period: Time is given to HIPAA-regulated entities for implementing necessary compliance changes.

Specifics of the 2021 HIPAA Privacy Rule Update

  • NPRM Publication: January 21, 2021, was the date when the Federal Register published the proposed HIPAA Privacy Rule changes.
  • Comment Period Extension: They pushed the comment deadline to May 6, 2021, because of the extensive proposed changes.
  • Final Rule Timeline: Although OCR hasn’t given a particular date for the Final Rule enactment yet; it’s anticipated that HIPAA modifications will come in 2023 and its implementation possibly take place a year after.

Additional 2023 HIPAA Regulation Consideration

Safe Harbor Law and Settlement Sharing: Regarding the security practices under the 2021 HIPAA Safe Harbor Law and introducing “settlement sharing” for data breach victims, an RFI was released by HHS in April 2022.

  • Potential NPRM: An NPRM on settlement sharing is what OCR has yet to issue but it’s expected as one of the new HIPAA regulations for 2023.
  • Demonstrating Security Practices: A video presentation explaining how HIPAA-regulated entities can demonstrate they’ve implemented recognized security practices was released in response to the RFI.
  • New HIPAA Regulations in 2023: A new set of HIPAA rules and regulations will take effect in 2023 as OCR completes its revision of the HIPAA Privacy Rule. Stakeholders have urged updates to HIPAA, but there will likely be no new laws related to these requests in 2023. Due to the 2022 Privacy Rule update resulting from the HIPAA changes, the chances of extra guidelines for HIPAA changes in 2023 are minimal.

Final Rule Expected on Proposed Changes to the HIPAA Privacy Rule

HIPAA-covered entities are asked to provide feedback on HIPAA Rules’ limitations in a request for information issued by the OCR in December 2018. The revisions entailed updating rules about PHI release, streamlining patient consent, and fostering patients’ capability to access their medical history with greater ease. Criticism was generated by some of the changes implemented, such as sharing ePHI among providers and reducing response times for patient requests.

Reducing the administrative burden and combating the opioid epidemic was stressed by HHS Deputy Secretary Eric Hargan. The proposed new HIPAA regulations, announced in December 2020, encompass various key changes:

  • Patients are given the privilege of personally examining their PHI and recording their observations via writing or images.
  • The window for providing access to PHI has been narrowed down from 30 days to 15 days.
  • Restricted to specific limits are transfers of ePHI from an HER to a third party.
  • Personal health applications are now capable of receiving PHI requests from individuals.
  • For ePHI access, no-cost guidelines are necessary.
  • An important requirement for entities is disclosing information on access rights for individuals related to PHI.
  • A website posting requirement exists for covered entities to display estimated fees linked to PHI access and disclosure.
  • Offering fee estimates for individuals, PHI copies demand personalized approaches.
  • A pathway that enables the sharing of PHI amongst covered entities has been established by creating.
  • According to HIPAA, healthcare providers and health plans must comply with records requests from individual-directed requests.
  • Now, written approval of the Notice of Privacy Practices is not necessary.
  • Excluding imminent threats, disclosures of PHI can be made to prevent potential harm when there is a “seriously and reasonably foreseeable” risk.
  • Good faith belief in the individual’s best interest guides allowances for uses and disclosures.
  • Care coordination and case management exceptions are included, with a focus on individual levels.
  • By widening its scope to encompass care coordination and case management, the definition of healthcare operations is broadened.
  • All uniformed services are included under the Armed Forces’ permission to use or divulge PHI.
  • Electronic health records, defined.

With an eye toward patient advocacy, the proposed modifications aim to streamline care coordination and align HIPAA standards with the shifting landscape of healthcare.

Challenges Complying with the New HIPAA Regulations in 2023

Business associates’, patient privacy advocates’, and other affected entities’ concerns are deriving from possible effects of the proposed changes in HIPAA Regulations. Even if the goal is to ease administrative burdens, implementing certain changes would still require substantial effort.

Below we will discuss Key concerns

Shortened Timelines for Providing Medical Records

For healthcare providers who’ve faced previous difficulties in meeting deadlines, the proposed rule that shortens the timeframe for providing medical records might present a challenge.

Definition of Electronic Health Records (EHR)

Billing records will now need to be provided upon request. This might create some potential delays because these are often kept separate from EHRs. While prohibiting unreasonable barriers to patient access, the rule does not specify which qualifies as “unreasonable.”

Personal Health Applications

Healthcare organizations need to share with patients the potential privacy and security risks of sending their PHI to third-party applications. Although it may be complex to implement this change, patients can now orally request PHI to be sent to a third party.

Format of EPHI

By including those requested via standards-based APIs and personal health apps in “readily producible” formats, the rule poses potential challenges for some providers.

In-Person Access

For ensuring privacy and preventing unauthorized photography, giving patients the right to inspect their PHI in person poses logistical challenges. There should not be a charge for providing in-person access.

For covered entities to implement some of the seemingly minor proposed HIPAA changes summarized above; careful planning, resource allocation, policy updates, and workforce training is a requirement. Promptly ensuring compliance with the new regulations of 2023 requires action.

Recent Changes to HIPAA Enforcement

Here’s a summary of the HIPAA enforcement trends in recent years:


  • Enforcement actions in initial HIPAA slowdown.
  • The second half of the year saw many settlements announced by OCR.
  • It’s a record-breaking year with $28,683,400 in fines and settlements for HIPAA enforcement.


  • Continued enforcement at a high level came with settlements and penalties of $12,274,000.
  • There’s a new focus on the Right of Access in HIPAA.


  • Emphasis is on enforcement of the Right of Access.
  • The imposition of multiple financial penalties occurred due to various HIPAA violations.
  • HIPAA fined a record-breaking total of $13,554900 this year.


  • A slight reduction in enforcement actions.
  • Most penalties were about the Right of Access.
  • For the year, primarily $5,{“}982.150 represents lower total penalties.


  • For 22 cases, penalties and settlements increased.
  • A sum of $2.127 million makes up for the lowest total fines since 2010.
  • Small medical practices should realize that they are the target of 55% of fines and hence smaller healthcare organizations should be more cautious.
  • By adopting a new penalty structure, OCR has advanced.

Fines and penalties varied as HIPAA enforcement fluctuated in recent years. A significant number of cases were witnessed in 2022; however, because of the nature of violations and the introduction of a new penalty structure resulted in comparatively lower fines. Increased scrutiny was what smaller healthcare providers faced while the focus of enforcement stayed on Right of Access compliance.


Looking ahead to 2023, transformative changes in HIPAA compliance are on the brink in the world of healthcare. Driven by the need for improved care coordination and influenced by the CARES Act; how we access, share & and protect patients’ data is going to be reshaped through incoming HIPAA regulations. While they challenge covered entities, these changes also offer chances to improve patient rights and make healthcare processes more efficient. These reforms require us not only to meet regulatory obligations but also to commit ourselves to the provision of better and much safer care for individuals relying on our health services.


What is HIPAA, and why is it essential in healthcare?

Across the USA, HIPAA, or the Health Insurance Portability and Accountability Act passed in 1996, holds significance as a federal law. Safeguarding patients’ healthcare information is the main objective. HIPAA is important in healthcare for several reasons:

  • Privacy Protection: Through HIPAA, medical records and personal health information are kept confidential and protected from unauthorized access.
  • Data Security: Protection of electronic health records requires adherence to strict security measures, limiting exposure to data theft risks.
  • Patient Rights: HIPAA grants patients the privilege of accessing their health records, requesting updates, and being informed about how their data is handled.
  • Interoperability: HIPAA’s focus on standardization streamlines electronic healthcare transactions, facilitating better care for patients.
  • Legal Framework: By setting guidelines, imposing penalties, and granting legal recourse, it protects patients’ privacy.

What are the major changes expected in the 2023 HIPAA regulations?

The 2023 HIPAA regulations will experience significant alterations.

  • Enhanced Patient Access: Patients will have swifter access to their medical records.
  • Expanded Right to Data Portability: Transfers of patient data to personal health apps are now an option.
  • Transparency: Requirements for covered entities include posting and estate fees and providing personalized estimates.
  • Care Coordination: Better coordinated care will result from HIPAA’s alignment with PHI-sharing needs among covered entities.
  • Security Measures: With enhanced security, healthcare data can be better safeguarded.

What is the relationship between HIPAA Regulations and Substance Use Disorder (SUD) records?

HIPAA and SUD records have historically enjoyed independent confidentiality protection. By administering 42 CFR Part 2, SUD records are granted enhanced privacy safeguards. With HIPAA, it’s essential to strike a balance between equal privacy protection for all healthcare data. The CARES Act has led to modifications that enhance care coordination by aligning SUD records with HIPAA standards, thereby safeguarding patient privacy.

How are New HIPAA regulations introduced and applied?

New HIPAA regulations typically follow these steps:

  • Request for Information (RFI): HHS relies on input from stakeholders to pinpoint issues within HIPAA and effect corrective changes.
  • Notice of Proposed Rule making (NPRM): Stakeholders are invited to provide feedback during a comment period that follows the issuance of a proposed rule by HHS based on their input.
  • Comments and Feedback Review: Finalizing the rule involves reviewing stakeholder comments.
  • Final Rule: HHS is responsible for issuing the Final Rule, a document that details HIPAA regulations updates.
  • Grace Period: Given the need for compliance, covered entities are granted time to work on implementation.

What obstacles must be overcome to meet the HIPAA regulations in 2023?

HIPAA regulations present a challenge when it comes to compliance.

  • Shortened Timelines: A compressed timeframe for data collection burdens healthcare providers’ resource allocation.
  • Definition of Electronic Health Records (EHR): Providers may face difficulties with the inclusion of billing records within the expanded definition.
  • Personal Health Applications: Privacy risks associated with sharing personal health information (PHI) with third-party apps require deliberate execution.
  • In-Person Access: Patients’ ability to inspect their Protected Health Information (PHI) in person may present privacy and security risks.
  • Resource Allocation: All parties involved need to allocate resources, train personnel, and modify policies upon implementation of changes.

The key to meeting future regulations is remaining informed and prepared.

For Invaluable Insights and Daily Updates, Follow Us on LinkedIn or join us on Quora.

Secure MSO Revenue Cycle Management

Oh hi there
It’s nice to meet you.

Sign up to receive the latest updates, insights, and exciting news in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

Secure MSO Revenue Cycle Management

Oh hi there
It’s nice to meet you.

Sign up to receive the latest updates, insights, and exciting news in your inbox, every month.

We don’t spam! Read our privacy policy for more info.