Compliance Updates Needed To Meet HIPAA 2024 Final Rules 

Brian Williams, MHA, MBA

Healthcare organizations have a lot to be concerned about when it comes to protecting the privacy and security of patient data. Cybersecurity threats and bad actors may pose the highest risk, but failure to incorporate new regulations (including the HIPAA 2024 final rules) into practical policies, staff training, and Business Associate Agreements (BAAs) can quickly lead to unintended breaches and civil liabilities. 

I’ve taken a deep dive into the policy (like any compliance professional would), and I’ve distilled the important information below, along with my proposed changes for documents and training to better meet the HIPAA 2024 changes.

Reproductive Healthcare Privacy

The HIPAA Privacy Rule to Support Reproductive Healthcare Privacy, which went into effect on June 25, 2024, protects trust between individuals and healthcare providers by ensuring that protected health information cannot be used or disclosed to investigate or impose liability on someone for the mere act of seeking, obtaining, providing, or facilitating legal reproductive health care. The Final Rule encompasses a wide range of services including miscarriage treatment to prevent excessive bleeding, pregnancy termination, fertility or infertility diagnosis and treatment, assisted reproductive technology, and other diagnoses, treatments, and care affecting the reproductive system. 

The Final Rule presumes that reproductive health care provided by someone other than the covered health care provider, health plan, or clearinghouse (or their business associates) is lawful, unless: the provider, plan, or clearinghouse (or business associate) knows the care was not lawful. The Final Rule requires covered health care providers, health plans, and health care clearinghouses to revise their BAAs by December 23, 2024 and Notice of Privacy Practices (NPPs) by February 16, 2026. 

Download an already updated BAA template.

Confidentiality of Substance Use Disorder

The U.S. Department of Health & Human Services (HHS) issued the 42 CFR Part 2 Final Rule on April 6, 2024, which modified and aligned the Confidentiality of Substance Use Disorder (SUD) Patient Records to comply with HIPAA and HITECH regulations. This is designed to provide clarity for both covered entities and patients since confidentiality concerns often prevent patients from seeking treatment for mental health and substance abuse disorders. Compliance is required by February 16, 2026. 

Notably, the Final Rule allows a single consent for all future uses and disclosures of treatment, payment, and healthcare operations. Since HIPAA compliance is now required, it means that HIPAA-covered entities and business associates that receive records under this consent to redisclose the records in accordance with HIPAA regulations, and they must also follow breach notification guidelines.

Download a ready-to-use HIPAA Breach Notification Policy and sample patient letter.

Updating Your Business Associate Agreement To Comply With Recent HIPAA Changes

Keeping BAAs in place with all vendors is one of the simplest ways to protect your organization — and your patient’s privacy. In accordance with HIPAA, the Business Associate is prohibited from disclosing PHI for any investigation or to impose liability for lawful healthcare in the state where it was provided. This applies to the reproductive health and substance abuse final rules passed in 2024. 

The BAA should include language that makes clear the Business Associate is agreeing to the limitations and obligations with respect to its use and disclosure of PHI, specifically for substance abuse and reproductive health. 

For reproductive health, a valid attestation must be written in plain English, must be signed and dated by the person requesting the PHI, and must include the following:

  1. A description of the specific information requested and the name(s) of the individual(s) whose PHI is requested.
  2. The name or identifying information of the person or entity making the request.
  3. The name or identifying information of the person or entity to whom the disclosure is to be made.
  4. A statement that the use or disclosure is not for a prohibited purpose.
  5. A statement explaining the criminal penalties for violating HIPAA by improperly obtaining or disclosing identifiable health information.

While you’re reviewing your BAA, there are a few other less common items that I recommend including. First, many vendors use subcontractors, which opens up additional ambiguity and liability. Requiring information on these subcontractors within the vendor’s BAA could come in handy if there’s a breach or other incident. I also recommend ensuring that you call attention to tracking technology that is utilized by the Business Associate. User data collected is subject to the Office for Civil Rights (OCR) Bulletin issued December 1, 2022. 

Other Compliance Program Updates Related to HIPAA 2024 Final Rules

In addition to BAA updates, there are a few other places you’ll want to adjust your compliance program.

Updating Policies

The HIPAA Privacy Rule to Support Reproductive Healthcare Privacy specifically requires updates to your organization’s Notice of Privacy Practices. It’s likely your organization has other privacy-related policies that may require language updates for the HIPAA 2024 changes.

If you’re still managing policy approvals, acknowledgements, signatures, and storage in separate platforms, now is a great time to consider full-cycle policy management software designed for healthcare. These small updates can be just that — small — when you’re managing the process electronically in one natively-built platform.

Updating Compliance Training

Don’t forget to share this new information with employees and ensure your initial and refresher HIPAA training includes information on reproductive health and substance abuse privacy.

Changes Are Forcing a Better Compliance Process

As federal and state consumer privacy laws increasingly converge, particularly around protected health information (PHI), the complexity of compliance will continue to stack up new rules on top of existing regulations like a dagwood sandwich that is difficult for staff and business associates to digest.

It’s definitely time to eliminate multiple compliance and learning systems (especially manual processes) while saving cost and improving efficiency. Consider a healthcare-focused vendor with the regulatory expertise, automation, and HRIS integration capabilities needed to effectively manage and document these important changes.

I highly recommend taking a few moments to consider MedTrainer, an option that is receiving outstanding recognition for its simplicity and effectiveness.

blog-compliance-training-software

See how MedTrainer can streamline your compliance.