HIPAA Regulations in 2023: What You Need To Know

The Health Insurance Portability and Accountability Act (HIPAA) enhances health-care systems with added patient protection, technological implementation and adaptation, enforced security standards, and more. Each year, HIPAA continues to grow and adapt to its environment, making sure that current health-care practices stay relevant and optimal for businesses and individuals.

With 2023 underway, there are many new and potential HIPAA changes to look out for, from added rules to remodeled policies. Here is what you need to know about HIPAA regulations in 2023 and how it affects you and your business.

Patient Access to PHI and EHRs

Protected Health Information

Protected health information (PHI) plays a prominent part in and is one of the many reasons for the creation of HIPAA. As individuals use different health-care services—insurance companies, general practitioners, vets, and dental offices—each entity accumulates a range of sensitive personal information. From addresses and phone numbers to social security and account details, PHI includes a lot of individual identifiers that affect the safety of patients.

Electronic Health Records

Along with PHI, health-care services collect electronic health records (EHRs) containing patients’ past and present medical issues, lab results, and health conditions. Although not as sensitive as PHI, EHR is still private information. A patient’s medical information affects prescriptions, insurance, accommodations, and more.

In 2023, HIPAA aims to increase patient access to PHI and EHRs. The refinement of HIPAA’s Privacy Rule includes:

• Individual rights to inspect, take notes, and photograph their PHI and EHR
• A patient’s ability to direct their information to a third-party business with a reasonable cost-based fee
• Better health-care provider response times for PHI and EHR access requests with a maximum response delay of 15 days
• Standards that prevent health-care providers from imposing unreasonable procedures for PHI access, like notarization and in-person-only requests

Billing Record Inclusion

Patients’ records include an array of information, from treatments and prescriptions to current conditions and family history. A new addition to EHR is billing information and past payments. There is no longer any disparity between paper and digital PHI and EHR. People can now receive any form of medical information electronically when requested. This standard is the same across all forms of health-care services, from medical practitioners to orthodontists. Refusal to add in billing information may be considered information blocking.

HIPAA Violation Penalties

With inflation spiraling in current events, the fee on penalties alters to best match economical accommodation per the Inflation Adjustment Act. HIPAA fines change with cost-of-living adjustment multipliers, and so far in 2023, that multiplier docks in around an increase of 9 percent (rounded up). However, they are putting an identical capped maximum for each of the three lower tiers.

Tier One

HIPAA’s penalty tier one includes unintentional violations against HIPAA standards. The cost per violation currently ranges between $100 to $50,000, with a maximum of $25,000 per year. Intended increases in the year are predicted to be a minimum of $120 and a maximum of around $63,900.

Tier Two

Tier two violations are HIPAA breaches committed with reasonable cause that the entity breaching HIPAA standards knew or should have known about the violation and proper due diligence. The current fines for tier two penalties span from $1,000 to $50,000 per violation and an annual maximum of $100,000. Trends predict a new minimum of $1,280.

Tier Three

Tier three breaches are willful violations—the covered entity intended to go against HIPAA standards—but corrected within 30 days. Tier three fines cost up to a minimum of $10,000 and a maximum of $50,000. 2023 inflation predictions increase the range from an estimation of $12,700 to $63,900.

Tier Four

Tier four violations, the most punishable HIPAA penalty, are willful and neglected violations. They cost a fixed price of $50,000. Later in the year, that fine might increase to a range of around $63,000 to $1.9 million.

All final prices for the new year are still up in the air, depending on current inflation trends.

Violation Compensation

Another possible change in violation policies is compensation paid forward to individuals whose PHI and EHR were breached. The fines that the entity pays for violating HIPAA standards will also cover a small return percentage to the victims. With a small portion of the fines going to the pockets of the individuals, there’s even more incentive to increase the minimum penalty fees.

Averting Health and Safety Risks

Substance use addiction (SUD) and many mental health conditions can lead to life-threatening scenarios for individuals and others. As of now, HIPAA standards prevent health-care entities from reporting SUD and mental health information to law enforcement and family members without permission.

In 2023, changes are being made surrounding PHI standards to avert health and safety threats. In dire scenarios where an individual’s or other people’s lives are at risk of foreseeable harm, covered entities are allowed to distribute PHI without prior permission.

Phasing Out COVID Policies

COVID-19 brought telehealth to fruition, changing laws surrounding passing and discussing PHI electronically. As 2023 moves further away from the peak of the pandemic, HIPAA COVID standards are slowly being altered, permanently added, or removed.

Permanent Changes

Telehealth comes in many forms, from video chats and audio-only services. HIPAA now allows health-care providers and plans to use and cover all forms of remote communication with set and effective safety standards. Audio-only services no longer breach face-to-face HIPAA security requirements, allowing the continuation of phone call counseling and other health services. However, to maximize safety, HIPAA has certain requirements that must be met for audio-only telehealth to become permissible.

Phased Out and Adapted Standards

Standards that are phasing out and changing include:

• Mental Health Telehealth – Mental health services will begin requiring at least one in-person visit within 6 months of initial visits and every 12 months after for proper assessment and reimbursement qualification.
• Medicare and Physical Health – Medicare will no longer cover audio-only physical health services and reimburse telehealth visits to physical therapists.
• Telehealth Location Origination – There are now stronger restrictions on where telehealth services originate, who they can help, and other policies related to telehealth services that were in place prior to COVID-19.

These six key points provide the basics of what you need to know about HIPAA regulations in 2023 and what to keep an eye out for as the new year takes off. For more HIPAA updates and information, our HIPAA certification online courses cover the latest news and standards that all health-care providers should know. Check out our training courses and enhance your HIPAA compliance for the new year today!