HIPAA Proposed Changes for 2023

Happy New Year! As we look back on 2022, we noticed that the Office for Civil Rights (OCR) has really started enforcing the Patients Right of Access. To see a list of fines and resolutions agreements, check out our What are some of the actual HIPAA fines page. There are several proposed changes for HIPAA in 2023.

Here is a recap of what you need to be aware of:

1. Information Blocking – Information blocking is a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI). This rule was created to promote the flow of patient data between providers, patients, and the developers of Health IT. This included electronic health information (EHR) providers. If an actor is found to “block” the flow of information, they can receive up to a $1M fine. It is important to note that The Cures Act established two different “knowledge” standards for actors’ practices within the statute’s definition of “information blocking.” For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.

There are two categories of exceptions and eight exceptions to this rule.

Exceptions that involve not fulfilling requests to access, exchange, or use ePHI.

a. Preventing harm

b. Privacy

c. Security

d. Infeasibility

e. Health IT performance

Exceptions that involve procedures for fulfilling requests to access, exchange, or use ePHI.

f. Licensing

g. Fees

h. Content and manner

Although this is not enforced by the OCR, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) is the agency that has authority to review claims of possible information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, the HHS OIG has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.

Between April 5, 2021 and November 30, 2022, there have been 560 submissions for information blocking and only 43 that did not appear to be a claim of blocking.

Remember, when a patient requests their information to be shared, do not say no, make sure you check with your technology vendors to see if it would be possible.

2. Recognized Security Practices – This is known as the Safe Harbor Act that was passed into law to encourage medical practices and business associates to implement best practices for cybersecurity. Organizations that have completed their HIPAA Security Analysis, reduced their risks, and documented their security practices are looked upon more favorably during an investigation for a data breach. Keep in mind that penalties will not be increased if you have not completed this process. Penalties will remain as the standard permits and the entity’s ability to pay.

3. Charges for medical records – If your office charges for medical records, HIPAA requires your office to post these charges and to notify patients requesting records of the charges.

4. Hospitals must post clear and accessible pricing information online about items and services they provide in two ways. 1. As a comprehensive machine-readable file with all items and services. 2. In a consumer-friendly format that is shoppable.

5. Good Faith Estimates – All facilities must post the HHS Notice, “Right to Receive a Good Faith Estimate of Expected Charges,” on the provider’s or facility’s website, in the office, and onsite where scheduling or questions about the cost of items or service occur. The information must be prominently displayed and published in accessible formats and presumably available in languages spoken by the patient. 
The provider or facility must provide a good faith estimate of expected charges for items and services to an uninsured, self-pay individual, or an individual who does not wish file a claim with their insurance company.

6. No Surprise Billing aka as balance billing. Health care providers and facilities must provide an easy-to-understand notice explaining the applicable billing protections, who to contact if the patient has concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (patients must receive notice of and consent to being balance billed by an out-of-network provider). 

7. HIPAA updates for 2023 – There are many proposed changes, but the final dates and enforcement dates have yet to be determined. A few notable changes that have been proposed are:

a. Adding the right to inspect their PHI in person, permit taking notes, or taking pictures of their PHI

b. Reducing the covered entities time from 30 days to 15 days to a request for access to PHI. The covered entity will have an opportunity for an extension of no more that 15 calendar days (from the current 30 days extension)

c. Reducing the identity verification burden on individuals exercising their access rights

d. Specifying when electronic PHI (ePHI) must be provided to the individual at no charge

e. Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy

f. Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual

g. Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access

There are many others, and we are watching all of them. The effective date of a final rule will be 60 days after publication. Covered entities and their business associates would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.

The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.

The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus proposes a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

What does “Recognized Security Practices” mean?

We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2

This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.

Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:

  1. Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
  2. In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
  3. Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
  4. Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
  5. Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
  6. Backup reports should demonstrate when backups are performed and to ensure they are successful.
  7. Summary reports are useful, but you must make sure you review them, and they can be lengthy.

There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.

Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.

Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

The Office for Civil Rights seeks public comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements

The Office for Civil Rights (OCR) released a Request for Information (RFI) seeking comments from all stakeholders including covered entities, business associates, patients, and their families. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). 

This RFI will enable the OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

Through today’s RFI, OCR is seeking public comment on the following provisions of law:

  • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

    One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

    The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
  • Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

    The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:


Please note that comments must be submitted by June 6, 2022 in order to be considered.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC