HIPAA 2024 and Beyond: What Healthcare Leaders Need to Know Now

Introduction

Is your healthcare organization ready for the most significant HIPAA overhaul in years? From reproductive health privacy to cybersecurity requirements, here’s your roadmap to navigating the upcoming changes that will reshape healthcare data protection.

These changes encompass enhanced privacy protections for reproductive healthcare, the implementation of the Trusted Exchange Framework and Common Agreement (TEFCA), and proposed cybersecurity measures to safeguard electronic protected health information (ePHI).

Strengthening Reproductive Healthcare Privacy

In response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022), which overturned Roe v. Wade, HHS issued a final rule to bolster privacy protections for reproductive healthcare information. This rule, effective June 23, 2024, with a compliance deadline of December 23, 2024 (and February 16, 2026, for Notice of Privacy Practices requirements), aims to prevent the misuse of protected health information (PHI) in investigations or legal actions related to lawful reproductive healthcare.

 

Key provisions include:

• Prohibition of Certain Disclosures: HIPAA-covered entities and their business associates are barred from disclosing PHI for purposes of investigating or imposing liability on individuals or entities involved in lawful reproductive healthcare.
• Attestation Requirement: Entities must obtain a signed attestation from requesters of PHI, affirming that the information will not be used for prohibited purposes.
• Notice of Privacy Practices (NPP) Updates: Organizations are required to revise their NPPs to reflect these new protections, with a compliance deadline of February 16, 2026.

It’s noteworthy that this rule is currently facing legal challenges, such as the lawsuit filed by Texas Attorney General Ken Paxton seeking to prevent its enforcement in Texas.

Pro tip: Revise your privacy practices now to meet the compliance deadlines.

TEFCA: The Future of Health Data Exchange

Mark your calendar for January 11, 2025 – that’s when the new Trusted Exchange Framework and Common Agreement (TEFCA) framework takes effect. This game-changing system will revolutionize how we share health information nationwide.

Quick background: On December 11, 2024, the Department of Health and Human Services (HHS) issued a final rule to implement provisions related to TEFCA, as proposed in the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) rule. TEFCA, mandated by the 21st Century Cures Act, establishes a nationwide framework to facilitate secure health information exchange, empowering patients with greater control over their data. This rule was published in the Federal Register on December 12, 2024.

 

Key improvements include:

• Streamlined health IT certification process
• Clear standards for information exchange networks (QHINs)
• Enhanced FHIR APIs for seamless data sharing
• Stronger safeguards against information blocking

Want to get ahead? Check out Version 2.1 of the common agreement, released November 2024.

Proposed Cybersecurity Enhancements to the HIPAA Security Rule

Healthcare cyberattacks are rising, and HHS is responding with muscle. The proposed Security Rule updates (coming January 2025) will transform how we protect electronic health information.

Quick background: On December 27, 2024, HHS proposed updates to the HIPAA Security Rule aimed at strengthening the cybersecurity of ePHI. These proposed changes are part of a broader effort to enhance the security of healthcare data in response to increasing cyber threats. The public comment period for this proposal will commence upon its publication in the Federal Register.

 

Here’s what’s changing:

• All security specifications become mandatory
• Documentation requirements expand: HIPAA-regulated entities would be required to document all Security Rule policies, procedures, plans, and analyses, ensuring comprehensive records of compliance efforts.
• Clear compliance timelines replace ambiguous deadlines

Your Action Plan

Don’t wait until deadlines loom. Take these steps now:

1. Audit your current policies against new requirements
2. Schedule staff training on updated procedures
3. Evaluate your tech stack’s readiness for new standards

The healthcare privacy landscape is evolving rapidly. Organizations that adapt quickly will not only ensure compliance but also build stronger trust with their patients.

Stay tuned for updates as these regulations roll out. Have questions about implementing these changes? Contact us to discuss.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.