However, new HIPAA regulations were implemented in 2024 when a final rule was published updating the HIPAA Privacy Rule to strengthen reproductive health care privacy and a final rule was published aligning the Part 2 regulations more closely with HIPAA, although in June 2025, the HIPAA Privacy Rule to strengthen reproductive health care privacy was vacated nationally by a Texas judge…. The last major update to the HIPAA Rules was in 2013 when the HIPAA Omnibus Final Rule introduced new HIPAA regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Since then, most HIPAA changes have consisted of amendments to existing standards to accommodate changes to other laws, Executive Orders, and to implement new transaction code sets…. Get The FREE
**HIPAA Compliance Checklist**
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy… There had been calls from many healthcare stakeholder groups to align the Part 2 regulations more closely with HIPAA so all healthcare data is required to have equal protection. This would allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery…. There was progress on this front in 2020 through the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which required the HHS to align the Part 2 regulations more closely with HIPAA. In 2022, a Notice of Proposed Rulemaking was published in the Federal Register detailing Part 2 and HIPAA changes as mandated by the CARES Act to increase care coordination and better align these regulations, and a final rule was issued in February 2024. The new rule took effect on April 16, 2024, and compliance is required by no later than February 16, 2026…. ## How are New HIPAA Regulations Introduced?
The process of implementing HIPAA updates is slow and follows the process mandated by the Administrative Procedure Act. Typically, before any new HIPAA regulations can be introduced, changed, or rescinded, the HHS must seek feedback through a Request for Information (RFI) on aspects of HIPAA regulations that are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were originally published…. After considering the comments and feedback received from the RFI, the HHS releases a Notice of Proposed Rulemaking (NPRM) which is followed by a comment period. Comments received from healthcare industry stakeholders are considered before a Final Rule is issued. HIPAA-regulated entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes become enforceable…. The changes to Part 2 regulations are based on the Legacy Act, which was introduced by Sens. Capito (R-WV) and Manchin (D-WV). Rather than having to obtain consent from a SUD patient for each use or disclosure, and for consent forms to state the specific parties with whom the information will be shared on the consent form, patients can give broad consent for their SUD records to be shared for treatment, payment, and healthcare operations (TPO). Each disclosure made with patient consent must include a copy of the consent or a clear explanation of the scope of the consent…. Disclosures of SUD records to the Secretary of the HHS are required for enforcement purposes, and the HIPAA and HITECH Act civil and criminal penalties now apply to Part 2 violations, further aligning the regulations with HIPAA. Breaches of Part 2 records now have the same notification requirements as protected health information under HIPAA, so any data breach requires the patient to be notified without unnecessary delay, and no later than 60 days from the date of discovery of the breach…. The key HIPAA Privacy Rule changes were:
– A definition of “reproductive health care” is added to HIPAA. This definition covers terminations, but also contraception, fertility, and miscarriage healthcare.
– New limitations are imposed on the uses and disclosures of PHI relating to reproductive healthcare that cannot be bypassed by obtaining consent or an authorization.
– A request for reproductive health care information must be accompanied by an attestation that the information will not be used or disclosed for an out-of-state judicial or administrative proceeding…. This is because, in December 2022, HHS’ Centers for Medicare and Medicaid Services (CMS) published a proposed rule that would add three new transaction codes to the existing transaction code sets. The new transaction codes are to enable the electronic transmission of healthcare attachment transactions – transactions in which further information is provided to support an authorization request or a bill or to preempt a query relating to a bill…. Currently, healthcare attachment transactions are sent by fax or mail and, by facilitating the electronic transmission of these transactions, the new transaction codes will accelerate authorizations, treatments, and payments. However, to validate their authenticity, electronically transmitted healthcare attachment transactions will have to be digitally signed by software capable of supporting the HL7 IF for CDA R2 protocol…. These latest HIPAA updates relating to transaction code sets could be significant for all covered entities that already use e-signatures in day-to-day healthcare operations (i.e., Business Associate Agreements, remote authorizations for uses and disclosures not permitted by the HIPAA Privacy Rule, e-prescribing, etc.) if the e-signature requirements are extended to other HIPAA-covered transactions, and then to day-to-day healthcare operations…. OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current HIPAA Privacy Rule requirements limit or discourage coordinated care. The proposed changes to HIPAA include the easing of restrictions on disclosures of PHI that require authorizations from patients and several new HIPAA changes to strengthen patient rights to access their own PHI…. – Individuals will be permitted to request their PHI be transferred to a personal health application.
– States when individuals should be provided with ePHI at no cost.
– Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy…. – HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
– HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
– Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities…. – Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
– The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided has been dropped…. – The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
– The definition of healthcare operations has been broadened to cover care coordination and case management.
– The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
– A definition has been added for electronic health records…. – Establish voluntary cybersecurity goals for the healthcare sector
– Provide resources to incentivize and implement cybersecurity practices
– Implement an HHS-wide strategy to support greater enforcement and accountability
– Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity…. Both sets of CPGs are voluntary; however, OCR believes that regulatory changes are required, as voluntary goals are unlikely to be enough to drive the behavioral changes needed across the sector. In the concept paper, the HHS said an update to the HIPAA Security Rule would likely be proposed in Spring 2024, but the update was delayed. A draft of the proposed update was published in December 2024, and the proposed HIPAA Security Rule update was published in the Federal Register on January 6, 2025…. The HHS has also confirmed that the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals that participate in the Medicare and Medicaid programs, adoption of which will be a condition for participation in those programs. While those new requirements were expected to be announced by the CMS in 2024, no announcement has been made to date, and it is likely to be 2025 before the new requirements are confirmed. They are expected to include several of the measures included in the healthcare CPGs and the recently proposed HIPAA Security Rule update…. As previously explained in the How are New HIPAA Regulations Introduced section, a new rule is proposed followed by a comment period, and comments will be accepted on the proposed new HIPAA regulations until March 7, 2025. The comments must then be reviewed, which could take a considerable amount of time as extensive feedback is expected from HIPAA-regulated entities and healthcare industry stakeholders due to the number of new cybersecurity requirements…. ### The Proposed HIPAA Security Rule Changes
The proposed update to the HIPAA Security Rule –
*HIPAA Security Rule to Strengthen Cybersecurity of Electronic Protected Health Information* – is a major overhaul of the cybersecurity requirements for HIPAA-regulated entities, with many new requirements added in line with current cybersecurity best practices, methodologies, and procedures to improve protections against internal and external threats, plus changes in response to court decisions that have affected OCR’s enforcement of the HIPAA Security Rule…. One notable change is the removal of the distinction between required and addressable implementation specifications, with the latter removed in the updated HIPAA Security Rule. Addressable has been taken to mean optional by many regulated entities when that is not the case. This change makes it clear that all requirements must be implemented, although there are limited exceptions to certain implementation specifications.