The year 2024 has brought some changes to the Health Insurance Portability and Accountability Act (HIPAA) that might affect wellness providers who are subject to the privacy and security rules. Not sure if you are subject to the rules? Read our blog here.
The following is a short summary of the most recent HIPAA privacy rule changes in 2024 that may affect wellness providers:
- HIPAA covered entities and business associates must not use or disclose Protected Health Information (PHI), including the identity of any people involved, for purposes of criminal or civil investigations for the mere act of seeking, obtaining, providing, or facilitating reproductive health care where such health care is lawful under the circumstances in which it is provided. In other words, HIPAA covered entities and business associates can’t help authorities snoop around people’s reproductive health care unless such care (i.e., abortions or contraceptive care) is illegal in that state. If you aren’t sure of the legal status, err on the side of NOT disclosing to local authorities until you have consulted legal counsel. You can learn more about this new rule here.
- For HIPAA covered entities involved with the treatment (or payment for treatment) of substance use disorders, the federal Department of Health and Human Services (HHS) modified 42 CFR part 2 (Part 2) back in February this year to align with HIPAA more closely. Specifically, in relevant part, the final rule:
- Permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations;
- Permits redisclosure of Part 2 records by HIPAA covered entities and business associates in accordance with the HIPAA privacy rule (except for redisclosing for use in legal proceedings against the patient – the patient still needs to give specific consent or there needs to be a court order for such redisclosure);
- Permits disclosure without patient consent to public health authorities, provided that the records are de-identified in accordance with HIPAA;
- Aligns Part 2 penalties with HIPAA;
- Applies same HIPAA breach notification requirements to Part 2 breaches;
- Aligns Part 2 Patient Notice requirements with HIPAA Notice of Privacy Practices.
You can learn more about the Part 2 rule changes here.
- One other change of note: A recent court decision changed how HIPAA covered entities should handle requests from patients to provide third parties (such as the patient’s lawyer or insurer) access to their PHI. In Ciox Health, LLC v. Azar, Case No. 18-cv-00040 (D.D.C. January 23, 2020), the federal court reversed HHS guidance that said HIPAA covered entities must provide third parties (at the request of the patient) PHI in whatever format the third party wanted (i.e., electronic, paper, etc.). The court said the actual HIPAA statute permits transmittal to a third party in electronic format only. The court also ruled that disclosures of PHI to third parties would not be subject to HIPAA’s fee limitations. See https://www.hhs.gov/hipaa/court-order-right-of-access/index.html.
The bottom line is that if your wellness program involves substance abuse treatment records or reproductive care records, or must often respond to third party requests for PHI disclosure, and your wellness program or services are subject to HIPAA (i.e., qualifies as a Group Health Plan or you as the wellness provider qualify as a covered health care provider), check with your legal counsel to make sure your HIPAA policies and procedures are updated to reflect the new rule changes. We at Wellness Law can help you with your HIPAA compliance needs. Contact us today!