Several new Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule regulations have been proposed for 2024. According to an article published in The HIPAA Journal on Jan. 6, 2024, some of the regulations may be introduced individually, while many could comprise a HIPAA Omnibus Rule for 2024.
A notice of proposed rulemaking to modify the HIPAA Privacy Rule was originally published on Jan. 21, 2021, with a commenting period that extended to May 6, 2021. One proposed change is to ease restrictions related to disclosures of personal health information (PHI), including mandatory sharing of PHI between providers to encourage coordinated care. Other proposed regulations, announced in December 2020, include requirements for HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures and to provide individualized estimates of the fees for individual copies of PHI. The proposed regulations would also change the maximum time to provide access to PHI from 30 to 15 days.
Additionally, updated penalty values were added to the Federal Register on Oct. 6, 2023, that are composed of four tiers: lack of knowledge, reasonable cause, willful neglect, and willful neglect not corrected within 30 days. Each tier has corresponding minimum and maximum penalties per violation and an annual penalty cap, ranging from $34,464 to $2,067,813. The Office of Management and Budget announced an inflation multiplier for 2024 of 1.03241, and the penalty values published in 2023 will be updated accordingly. While the deadline for this adjustment was Jan. 15, 2024, the increase could take several months. As these changes were originally announced through a Notice of Enforcement Discretion, they are not legally binding but will remain in effect indefinitely.
According to the article in The HIPAA Journal, no date has been provided on when the final rule will be published or when the 2024 HIPAA changes will go into effect.