It has been several years since new HIPAA regulations have been signed into law, and now there are changes to be aware of in 2023. One of the most significant changes is the new definition of what constitutes a breach of Protected Health Information (PHI). Previously, if PHI was exposed or accessed by an unauthorized individual, it was considered a breach. However, under the new regulations, there is a more thorough analysis that takes into account the risk of harm to the individual whose PHI has been exposed. This new definition is more in line with the spirit of HIPAA, which is to protect patient privacy while also allowing for necessary access to PHI.
Another significant change in the new regulations is that all Business Associates of Covered Entities are now directly liable for HIPAA compliance. Previously, Business Associates were only indirectly responsible for HIPAA compliance through their contractual agreements with Covered Entities. Now, they are held to the same standard as Covered Entities and can be held accountable for violations.
In addition to the new regulations taking effect in 2023, Covered Entities must also ensure they are in compliance with the existing HIPAA breach notification rule by March 1st, 2023. Covered Entities are required to report all breaches of PHI to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that affect fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered. The deadline for reporting these small breaches is March 1st of the following year. Failure to report breaches can result in significant financial penalties.