The latest HIPAA updates and what's coming in 2025

The regulatory landscape of healthcare is constantly evolving, and staying informed about the latest changes to HIPAA (Health Insurance Portability and Accountability Act) is required to maintain compliance and protect patient privacy. A range of proposed and anticipated HIPAA changes are set to reshape the compliance field.

2024 HIPAA updates: A recap

The OCR's focus in 2024 finalized a historic number of rules, including those related to nondiscrimination, patient rights, and cybersecurity, pointing to the dynamic nature of HIPAA compliance. Several important HIPAA-related changes include:

• Modifications to the HIPAA Privacy Rule: Proposed modifications aim to improve patient care coordination and access while addressing substance use disorder and mental health care. These changes would permit increased disclosures of protected health information (PHI) in specific circumstances, streamline identity verification for patients accessing their records, and reduce response times for access requests. The updated HIPAA Privacy Rule also supports reproductive healthcare privacy by prohibiting disclosure of PHI for investigations or imposing liability on individuals seeking, obtaining, providing, or facilitating reproductive healthcare.
• Alignment with substance use disorder patient records regulations: A final rule published in February 2024 aimed to better align HIPAA with regulations governing substance use disorder patient records, impacting re-disclosures and breach notifications. This includes allowing re-disclosures of Part 2 records by HIPAA-covered entities, aligning substance use disorder patient notices with HIPAA notices of privacy practices, and requiring breach notifications consistent with the HIPAA Breach Notification Rule. These regulations also have implications for confidentiality in the context of substance use disorder treatment records.
• Advancing interoperability and patient access: The CMS Interoperability and Patient Access Final Rule introduced requirements for patient access APIs and ensuring access to PHI via apps, with implications for both the Privacy and Security Rules.

Anticipated HIPAA changes for 2025 and HISAA

HIPAA Security Rule updates

Proposed updates to the Security Rule are expected to focus on cybersecurity. These updates address evolving digital threats and ensure healthcare organizations protect patient information. They include updated risk assessment requirements, enhanced data protection standards, strengthened authentication protocols, improved incident response procedures, and expanded security training requirements. The HHS is also seeking input on AI governance for the Security Rule update, which could impact AI-driven healthcare solutions. Proposed modifications to the Security Rule also include eliminating the distinction between "required" and "addressable" implementation specifications and mandating annual compliance audits.

HISAA (Health Information Security and Accountability Act)

Introduced by Senators Ron Wyden and Mark Warner, HISAA  could significantly change healthcare data security and privacy. As Allen Killworth, a healthcare attorney at Epstein Becker & Green, explains, HISAA "would bring an enforcement and oversight structure radically different from HIPAA.” Unlike HIPAA, HISAA would require regular updates to security requirements (at least every two years), mandate annual assessments by independent auditors and ongoing government audits, and authorize HHS to charge covered entities and business associates for oversight and enforcement costs. Key provisions also include:

• New security requirements: HISAA would require HHS to develop minimum and enhanced security requirements for HIPAA-covered entities and business associates, addressing cybersecurity risks and protecting patient safety and national security.
• Risk assessments, audits, and reporting: Covered entities and business associates would conduct annual cybersecurity risk assessments, including stress tests, and contract with independent auditors for annual compliance audits.
• Increased penalties and fees: HISAA would establish tiered civil monetary penalties for noncompliance, without HIPAA's statutory maximum limits, and authorize HHS to charge fees to cover oversight costs.
• Medicare assistance and payment adjustments: HISAA would provide funding to hospitals for cybersecurity adoption but implement payment reductions for those failing to adopt enhanced practices.
  
  

HIPAA and email

The changes to HIPAA, including the proposed HISAA legislation and Security Rule updates, have significant implications for email communication in healthcare. The proposed modifications to the HIPAA Security Rule, aimed at modernizing the regulation and addressing the increasing reliance on online services and encryption, will directly impact email security practices. Additionally, the HHS is seeking input on AI governance for the Security Rule update, which could impact AI-driven email marketing tools and practices. For example, the stricter requirements around data security and breach notification could mean changes in how healthcare providers use email to communicate with patients and other stakeholders.

Ensuring your email platform and practices align with these updated requirements is required. The shift to mandatory annual compliance audits will require organizations to demonstrate their email security practices meet HIPAA standards. A study on information security awareness programs from the International Journal of Advanced Computer Science and Applications, shows ongoing training for reinforcing best practices and maintaining a strong culture of compliance. This is particularly relevant in the context of email communication, where human error can lead to accidental disclosures of PHI. 

Secure email solutions, like Paubox Email Suite, can help healthcare providers navigate these changes and maintain HIPAA compliance in their email communications. Its seamless encryption, inbound security features, and strong access controls protect against phishing and malware, prevent unauthorized access, and ensure that all emails containing PHI are protected, regardless of the evolving regulatory landscape. Consider implementing measures like multi-factor authentication, data encryption, and regular security assessments to protect patient data transmitted via email. A 2021 article on HIPAA and telehealth stresses the importance of investing in cybersecurity and choosing secure communication tools. This is equally relevant for email communication, which is a primary vector for cyberattacks in healthcare.

HIPAA compliant email marketing in the 2024-2025 regulatory landscape

The proposed modifications to the HIPAA Privacy Rule, particularly those related to patient access rights and disclosures of PHI, directly impact email marketing. For example, the proposed changes, strengthening individual access rights and reducing response times for access requests, mean healthcare organizations must be prepared to respond quickly and efficiently to patient requests regarding their marketing data. The proposed changes also affect how healthcare organizations obtain and manage patient authorization for email marketing. Ensuring you have clear, documented processes for obtaining consent, including detailed authorization forms specifying the types of PHI used for marketing, is now more important than ever. Furthermore, the enhanced focus on cybersecurity in the proposed Security Rule updates requires stricter email security measures. This includes using a HIPAA compliant email marketing platform like Paubox.

HISSA's potential impact on email marketing is substantial. The proposed legislation's emphasis on risk assessments, audits, and increased penalties shows the need for healthcare organizations to thoroughly evaluate their email marketing practices. Specifically, the mandatory annual audits under HISSA would likely include a review of email marketing practices, consent processes, and security measures. The increased penalties for non-compliance with HISSA's security requirements further accentuate the need for email security and meticulous record-keeping. Staying informed about HISSA's progress and preparing for its potential implementation is vital for maintaining compliance.

FAQs

What is the difference between HIPAA and HISSA?

HIPAA is a broad law enacted in 1996 that establishes national standards for protecting the privacy and security of patient health information. It includes the Privacy Rule, Security Rule, and Breach Notification Rule. HISSA, proposed in 2024, is a new legislation specifically focused on strengthening cybersecurity in healthcare. It would build upon HIPAA's Security Rule by adding more stringent requirements for risk assessments, audits, reporting, and penalties related to cybersecurity. HISSA also addresses funding and incentives for hospitals to adopt stronger cybersecurity practices. While HIPAA provides a general framework for healthcare privacy and security, HISSA focuses specifically on enhancing cybersecurity protections and enforcement.

If HISSA passes, how will it affect my current HIPAA compliance program?

It will significantly enhance your current HIPAA compliance program by adding more stringent cybersecurity requirements. You'll need to conduct annual risk assessments, including stress tests, contract with an independent auditor for an annual audit, and report these findings to HHS. HISSA also introduces higher penalties for non-compliance, so meticulous documentation and adherence to the new security requirements will be required.

What are the specific requirements for the annual cybersecurity audits under HISSA?

The annual audits under HISSA must assess your compliance with the minimum and enhanced security requirements outlined in the legislation, as well as the Healthcare and Public Health Sector Cybersecurity Performance Goals established by HHS. The audits must identify any areas of noncompliance and certify that you have resolved them or are implementing a timely remediation plan.