Download free DLP for AI whitepaper


  • Changes to the HIPAA Privacy Rule are expected to be finalized into law imminently.
  • The major changes include: shortening the response time to PHI requests made by patients; enabling patients to make requests to providers to share their Electronic Health Records (EHR) with other providers and insurers; and eradicating the requirement for covered entities to obtain written confirmation that a Notice of Privacy Practices.
  • While the changes will go into effect in 2024, organizations should start preparing now to avoid undue stress and increased risks of non-compliance.

A little while back in December 2020, the Office of Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM), notifying us of upcoming augmentations to the HIPAA Privacy Rule.

Three years and a lot of back and forth later, and it looks like those changes are about to be finalized into law. While we don’t know exactly when the Final Rule will be published, anticipation is certainly building, and the odds are in favor that the changes will be signed into law in 2023.

Before you start to panic, we want to caveat that any rule changes won’t go into effect immediately. Entities governed by HIPAA will have six months to become compliant. By the looks of things, that will mean the first few months of 2024. 

However, even so, compliance teams should begin preparation sooner rather than later. After all, it will take time to update systems and processes to bring them in line with the final rule. Moreover, history shows us that proposed HIPAA rules strongly resemble the final versions –often without any revisions. So, if you take action now, you can get a much-needed head start. 

With that in mind, in this blog, we’ll analyze some of the most significant presumed changes set to occur to the HIPAA Privacy Rule, so you can get ahead of the curve.  

HIPAA Privacy Rule changes: what to expect?  

Now, we don’t have a crystal ball, so how do we know that changes are going to happen? Well, the Department of Health and Human Services (HHS) published another NPRM in January 2021, including a number of proposed changes to the HIPAA Privacy Rule. 

While we don’t expect to see every change make its way into the Final Rule, a few stuck out to us, and we have a strong suspicion they’ll be made into law later this year. 

1. Right of access

 The new Privacy Rule is likely to amp up the onus on entities to meet patient requests should they seek to exercise their right of access. 

Here’s how: 

  • Enhance patients’ rights to inspect their personal health information (PHI) in person, including allowing patients to capture photos of their PHI.
  • Response times to PHI requests will be condensed from 30 days to fifteen with an extension of no more than 15 days. 
  • Further clarity to patients’ rights to receive their PHI in the form and format requested, including “readily producible” copies of ePHI requested by individuals through secure, standards-based application programming interfaces (“APIs”) chosen by individuals.
  • Covered entities will be prohibited from using “unreasonable measures” to verify patient identities, such as accepting only paper requests or notarized signature requirements.
  • More detail about when PHI must be provided free of charge. Providers will also be required to post estimated fee schedules on their websites, offer individualized fee estimates, and provide itemized bills for completed requests.

2. Information sharing and care coordination 

 One of the long-term criticisms of the HIPAA Privacy Rule is that it often acts as a barrier to comprehensive coordinated patient care

But the proposed modifications to the Rule should boost interoperability, enabling patients to make requests to providers to share their Electronic Health Records (EHR) with other providers and insurers as necessary.

Let’s take at the ramifications for covered entities of this in more detail: 

  • Organizations will be required to facilitate patient requests for copies of PHI and EHR, as well as receive that information on behalf of a patient’s request. These disclosures would become an exception to the minimum necessary standard. 
  • Covered entities will be permitted to disclose PHI to certain third-parties, including social services agencies, community-based organizations, home and community based services and so on for individual care coordination and case management. 
  • Covered entities will be permitted to disclose PHI in the event that patient harm is “seriously and reasonably foreseeable.” This will override the current definition of harm as “serious and imminent.”

3. Notice of privacy practices 

Last but certainly not least, the proposed rule aims to ease the administrative pressure associated with the HIPAA Privacy Rule by modifying the requirement that mandates providers to obtain patients’ written acknowledgement of their notice of privacy practices (NPP). 

  • The requirement for covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided has been withdrawn
  • Covered entities will need to update their notices to include details for patients on how to access their data, how to file a HIPAA complaint and their right to receive a copy of these notices. 

Next Steps for HIPAA compliance

As we anticipate the finalization of these changes, it’s wise for covered entities to be proactive. Embracing these augmentations to the HIPAA Privacy Rule will require a lot of work. On the operational side, you’ll need to update policies, procedures and NPPs, and also retrain your employees on the HIPAA Privacy Rule.

Then, from a technology standpoint, you’ll need to ensure you know exactly where all your electronic patient data is if you don’t already. As this update shows, patient right of access has become a top priority for the OCR. Properly collecting, storing and protecting PHI is vital, and the body won’t take lightly on organizations that fail to promptly meet patient requests or, worse, can’t find their health records. 

While there is still time to align with the modifications, waiting around will only put your organization under immense pressure, so start taking action now. 

The first step? Critically assess your compliance with the current version of the HIPAA Privacy Rule and diligently fill any gaps. From there, you should review the proposed changes to the HIPAA Privacy Rule in detail (this fact sheet is a good place to start) noting the gaps between your current compliance strategy and the proposed rules.  

Following this, you can start to review your policies and procedures, making draft amendments in line with the expected finalizations. 

How Polymer can help with HIPAA compliance 

The HIPAA Privacy Rule reinforces a trend that’s been gathering pace for a while: healthcare has become data-driven and, as a result, patients are quite rightfully being granted more autonomy over how their sensitive data is used, stored and shared. 

Of course, for covered entities, this makes compliance challenging: they have to carefully balance patient demands for data–its availability–with ensuring this information’s confidentiality and integrity. 

Unfortunately, achieving this state of play in the cloud-driven world is increasingly difficult. Traditional privacy and security solutions fail to extend visibility and control over data to the cloud apps healthcare employees use every day.

Without a solid grasp over where patient data is and who has access to it, healthcare entities will struggle to align with the HIPAA Privacy Rules changes, and also increase the likelihood of falling foul of a data leak or data breach. 

Thankfully, Polymer data loss prevention (DLP) enables healthcare organizations to effortlessly ensure the security and availability of PHI in the cloud. Our tool is a complete HIPAA compliant solution. Once you deploy it, your apps will be HIPAA compliant in just minutes thanks to a unique artificial intelligence (AI) algorithm that automatically discovers and protects PHI in both unstructured and structured formats. 

Polymer DLP autonomously identifies and redacts PHI or other sensitive data at risk of exposure or leakage to prevent policy violations and ensure granular visibility. 

While increased access rights might cause fears around employees misusing data, our tool prevents that. Its unique ‘ML-Synthesizer’ enforces granular contextual rules and policies, considering the person and user access intersection to automatically determine risk and remediation.

And when it comes to updating your training materials, we’ve also got you covered with user training built into the workflow. Polymer DLP harnesses the power of behavioral science-backed micro training nudges, which are delivered whenever a user makes an error. These nudges are proven to deliver game changing results when compared to traditional training. 

Ready to simplify HIPAA compliance and get ahead of the game with the Privacy Rule changes? Request a free demo today.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.