HIPAA changes are coming in 2023—is your organization prepared?
You may have heard rumors circulating over the last year that changes are coming to HIPAA. It’s true: the Office for Civil Rights (OCR) has stated that modifications to the HIPAA Privacy Rule are due to be finalized in March 2023 (without a specific date announced as of publishing).
But these aren’t just minor modifications—bigger than HITECH, and bigger than the Omnibus Rule, over 30 percent of HIPAA is due to change in March, with implications across your policies, training, BAAs, and NPPs.
That’s why today we’re diving into all the critical facts you need to know about these changes to HIPAA—from the best ways to prepare, to when exactly you should do that.
In this article, we will be covering:
- Why the HIPAA Privacy Rule is Changing
- The Timeline for Compliance with the Updated Privacy Rule
- How to Comply with the Updated Privacy Rule
- How to Prepare for the Privacy Rule Changes Coming in 2023
As HIPAAtrek is built and maintained by HIPAA compliance experts, we know how intimidating major regulatory changes like these can be. That’s why we pride ourselves on helping our clients stay prepared—and in compliance.
We provide ongoing education opportunities outlining the specifics of these changes, and will have updated templates and training available through our platform within 45 days of the Privacy Rule being finalized. If you’ve been considering using HIPAAtrek to manage your compliance—and stay updated as regulations change—there’s never been a better time to join. Click here to schedule a demo.
Why The HIPAA Privacy Rule is Changing
As we’ve mentioned before, HIPAA changes are inevitable as regulations strive to keep up with changing technology, care standards, and patient rights. With such sweeping changes, it is no surprise that multiple factors are driving them.
The stated reasons for the 2023 Privacy Rule changes include:
- Strengthening patient rights to access their own PHI,
- Managing information sharing for care coordination and case management,
- Family and caregiver involvement for individuals experiencing emergencies and health crises,
- Providing guidance for disclosures of PHI to facilitate patient care during an emergency situation, and
- Reducing administrative burden.
First, the OCR has made it clear that individual rights to access PHI are a priority, and we have seen an increase in regulatory actions around the ability to access one’s own PHI. The 2023 proposed modifications to the HIPAA Privacy Rule are further strengthening this right to access.
The OCR has previously prioritized patient access to their own PHI through the Right of Access Initiative, as has the Office of the National Coordinator’s Prevention of Information Blocking provision under the 21st Century Cures Act. The strengthening of patient rights to access their own information is the largest reason for the changes to HIPAA in 2023.
Family and caregiver involvement for individuals experiencing emergencies and health crises is another reason behind these changes. Under the current version of the Privacy Rule, it can be challenging for Covered Entities to involve family members when a patient is experiencing a healthcare emergency, and the proposed modifications will facilitate making that access easier.
Finally, the OCR has stated that the modifications will reduce administrative burden on Covered Entities.
All of these factors combined provide the motivations behind the changes to the Privacy Rule that we are anticipating in 2023—the largest of which is the strengthening of patient rights.
When will I need to comply with the updated Privacy Rule?
As compliance officers know well from previous major changes to HIPAA, implementing new regulations is not a quick process. Compliance is dynamic and multi-faceted, and changes can take many months to properly implement.
The larger your organization is, the more staff education and training it will take to change habits, routines, and workflows.
Currently, the modifications to the Privacy Rule are due to be finalized in March of 2023 (the OCR has not yet released a specific date for these changes). From the date that these rules are published, Covered Entities will have 180 days to comply.
That means six months from the final Rule going into effect, your organization will have to achieve compliance under these changing regulations.
While six months sounds like a long time, anyone working in compliance knows that it will go by fast—and these sweeping changes will take time to properly implement.
How to Comply with the Updated Privacy Rule
As we mentioned above, this is the largest change to HIPAA yet, so complying with the updated Rule will take a multifaceted approach, including critical changes to workflows.
One immediate impact of the updated Privacy Rule will be a new patient right to take recordings or photos of their EPHI. That means your organization should begin thinking now about where and how you will facilitate this patient access at your facility.
Policy edits and modifications will be another large task on your to-do list once the changes to the Privacy Rule are finalized.
You will need to begin by reviewing your existing policies to identify those that need changes or rewriting.
Once you have identified the policies requiring updates, created new or edited policies, gone through the approval process, and finalized your policies, you aren’t done yet. Don’t forget that you also are required to retrain every staff member whose work falls under that policy—which for some organizations will be every member of the team.
Work proactively now to identify policies that will need to be updated, as well as creating a training strategy to implement these changes.
Based on the proposed modifications to the HIPAA Privacy Rule, not every Business Associate Agreement (BAA) will need to be updated. In fact, only those BAs that disclose PHI will need updated BAAs under the new Rule.
This is a process you can start right away. Begin by identifying those BAs who will require a new BAA, and start working on your new BAA template for those vendors. If you use HIPAAtrek, you can easily tag those BAAs which will require updates, to refer back to later.
Once the final rule is published, begin that finalization process right away. BAA negotiations can be time consuming, as we learned in 2013 with the Omnibus Rule.
Being proactive in conversations with vendors requiring a new BAA is important to achieve compliance within the timeline allowed by the OCR.
The Notice of Privacy Practices (NPP) itself will be changing under the new version of the HIPAA Privacy Rule, so you will need to update your NPP with all of the required changes.
While that may sound straightforward, it is critical to ensure these updates are completed everywhere you currently have your NPP posted, which may include physical locations in your facilities, as well as on your website. Start now by identifying everywhere your current NPP is posted and distributed so you can be prepared for this update.
One major change that will reduce administrative burden is the removal of the requirement to obtain acknowledgement of your NPP. Keep in mind, this will also require retraining staff on a new procedure.
How to Prepare Now for the Privacy Rule Changes Coming in 2023
With all of these changes coming so soon, and with such limited time for implementation, savvy compliance officers will begin preparing now in order to implement modifications in an efficient way upon finalization of the Rule.
Step 1: Risk Analysis
The best way to begin preparing now? A proactive risk analysis.
You need to know where your privacy program stands now, in order to start from a foundation of compliance and ensure that you aren’t adding additional work to the already daunting changes from the OCR. That’s why we suggest building a strong foundation with a risk analysis.
Your risk analysis should include:
- A thorough review of policies to ensure compliance with existing HIPAA regulations,
- An assessment of the training on, and execution of, compliance among your team members, and,
- An implementation plan ready-to-go when HIPAA changes go into effect.
At HIPAAtrek, we designed a Privacy Gap Assessment specifically to identify and address existing gaps in your Privacy Program, and provide a roadmap to compliance under the new regulations in 2023. Click here to learn more.
Step 2: Understand the Specifics of the Changes
Now is the time to begin studying the proposed modifications and identifying the specific actions you will take to implement these changes within the given timeline.
For instance, you can begin identifying a location and process for patients to record or photograph their PHI. Additionally, you can identify which policies and BAAs will need to be updated beginning in March.
Thinking through these steps will allow you to be proactive in your communication with team members, so that nobody is surprised by changes.
Step 3: Speak with Leadership
Finally, now is the time to create buy-in for your action plan among the C-suite and other organizational leaders. Share your action plan and create a budget now—there is a cost to HIPAA changing. You need to be sure you’re budgeting appropriately for the changes required, including team training.
And, of course, HIPAA compliance software should be included in your budget in order to effectively manage these sweeping changes. HIPAAtrek has been proactively preparing our clients for these modifications since early 2022, with specific, in-depth training and opportunities to ask questions about these changes.
Additionally, HIPAAtrek will have updated policy templates, BAA templates, and NPP templates available in our platform within 45 days of the finalized Privacy Rule. HIPAA Training videos within the software will also be updated to reflect the changes and assist with implementation among your team.
If you’re ready to learn more about using HIPAAtrek to manage your compliance—and stay updated as regulations change—now is the time to reach out. Click here to schedule a demo.
HIPAA Changes 2023
The sweeping changes coming to HIPAA in 2023 can be intimidating. After all, over 30 percent of HIPAA is changing, the largest change we have ever seen. From Policies and Training to BAAs and NPPs, the impacts of these changes will be numerous, and achieving compliance will be a challenge within the allotted timeline.
But with the right preparation, it can be done! Conducting a risk analysis, identifying an action plan early, and creating buy-in among leadership and team members are critical steps to success. And, of course, HIPAAtrek can help along the way.
We even made a free Changing Regulations Cheat Sheet to help you stay on top of changes to HIPAA and other privacy and security regulations. Click here to download it now:
Navigate Changes to HIPAA
Our changing regulations checklist can help you create a system for success as regulations change.