You’ve likely heard by now that the Office for Civil Rights (the OCR) published a Notice of Proposed Rulemaking (NPRM) on April 17, 2023, that makes changes to the HIPAA Privacy Rule to promote reproductive privacy (see the HHS Fact Sheet).
The new NPRM makes changes related to uses and disclosures, and Notices of Privacy Practices (NPPs). These significant proposed changes could require changes to NPPs, business associate agreements, and policies and procedures. For example:
- Employees may need to be trained.
- New forms may need to be developed.
As always, when there’s a change to HIPAA, expect to be offered “help” – for a cost. You may be told that the need to make changes is urgent – that you need to contract vendor services now!
My message is very different, “DON’T PANIC.” Yes, the scope of these changes is significant, but on Monday, April 17th, the NPRM only entered day 1 of its required 60-day comment period, which ends on June 16, 2023. Rest assured; there will be many comments. Then, before issuing a Final Rule, the agency must consider the comments, scientific data, expert opinions, and facts accumulated during the pre‐rule and proposed rule stages, all of which become part of the rulemaking record.
The NPRM Process
To move forward with a final rule, the agency must conclude that its proposed solution will help accomplish the goals or solve the problems identified. It must also consider whether alternative solutions would be more effective or cost less. The proposed final Rule must also be analyzed by the Executive Office of Information and Regulatory Affairs.
Only after all of this is accomplished can an agency publish a Final Rule. Final Rules are effective 60 days after date of publication in the Federal Register. In the NPRM, the OCR states its intent to require compliance 180 days after the effective date of a Final Rule.
In other words, if a Final Rule was published August 1, 2023 (which would be incredibly quick), then the Rule’s effective date would be September 30, 2023, and the compliance date would be March 28, 2024. That’s almost a full year out.
So yes – pay attention to the Rule. Make comments on it if you have something to say to the OCR. Think about your game plan of changes and start plotting it out for real when the real Final Rule is published. But right now, there’s no need to get ahead of yourself!
Julia Huddleston, Principal Consultant, holds the designations of Certified Information Privacy Manager, Certified Information Privacy Professional, and Certified (HITRUST) CSF Practitioner. She works with Apgar & Associates’ clients on certification readiness, compliance assessments, security risk analysis, and policy and procedure review and implementation.