Even 28 years after President Bill Clinton signed HIPAA into law, many of its rules have remained difficult for HIPAA-regulated entities, according to a Jan. 22 HIPAA Journal report.
Here are seven HIPAA-related predictions as reported by the HIPAA Journal for 2024:
1. The Office for Civil Rights will increase enforcement actions for HIPAA security rule violations that contributed to data breaches and HIPAA Breach Notification Rule violations for not issuing individuals timely notifications when their protected healthcare information is compromised during data breaches. HIPAA Journal predicts a record number of civil monetary penalties and settlements in 2024.
2. The HIPAA right of access will remain an OCR enforcement priority, given the investigations typically require minimal OCR resources, are straightforward, and the investigation findings typically don't result in legal challenges.
3. A HIPAA security rule update is expected in spring 2024 from OCR, and the HIPAA Journal predicts it will feature multiple new mandatory cybersecurity requirements, including tougher access control requirements like mandatory multi-factor authentication.
4. In response Roe v. Wade being overturned, the HIPAA Journal predicts a new rule on reproductive health information disclosure, which will be forbidden for anything other than payment, healthcare operations, treatment, and for protected healthcare information to be used for identifying, investigating and prosecuting providers, patients and anyone else taking part in providing legal reproductive healthcare services.
5. The HIPAA Journal said the American Hospital Association's lawsuit responding to OCR's tracking technologies guidance from December 2022 strongly argues that OCR elongated the protected health information definition to more than what the existing statute can handle. Should AHA's challenge be unsuccessful, HIPAA Journal predicts 2024 will witness the first enforcement action regarding the use of tracking technologies on hospital websites. Additional tracking technology rulemaking will be suggested if AHA's lawsuit is successful to further secure patient privacy.
6. CMS will introduce cybersecurity requirements as a participation condition in the Medicare and Medicaid programs.
7. HIPAA compliance enforcements will be stepped up by the state attorneys general, imposing additional financial penalties for healthcare organizations that have failed to meet cybersecurity minimum standards.