20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!


2023 HIPAA updates that will affect your small healthcare practice

There are some big HIPAA updates coming up in 2023 that you need to be aware of. Let’s figure out what they means for your practice.


There are some big HIPAA updates coming up in 2023 that you need to be aware of. But don’t worry… 

We haven’t copied and pasted the complicated legal text for you to digest on your own. 

We took a look at all the changes that will affect you as a small healthcare practice. Then, we put together short, simple nuggets of information that are easy to understand. Finally, we give you actions you can take now to ensure you’re prepared and compliant.  

HIPAA is changing. Let’s figure out what that means for your practice. 

HIPAA Privacy Rule 2023 updates

Here are the changes to the HIPAA Privacy Rule that you need to consider if you’re a small healthcare practice. There are more changes, which you can read about here. This is the official document, and it’s quite lengthy. A quick search for 2023 HIPAA changes will pull up various articles containing summaries.  

If you’re a small healthcare practice, these are the changes that are most likely to affect you:

Changes to how clients can access their information

They’ll be able to:

  • Review their health information in person and take notes or photographs

  • Receive their health information within 15 calendar days following their request (with a possible 15 day extension)

Before, practitioners had 30 days to respond to a request with the possibility of a 30 day extension. 

Changes to how you inform your clients of their rights

You’ll need to:

  • Let clients know they can get access to their health information

  • Let clients know that they can request a complete copy of their health information instead of a summary 

  • Post estimated fee schedules on your website for health information access and disclosures

  • Provide estimates of the fees to individual clients

  • Give your Notice of Privacy Practices (NPP) to your clients. You no longer have to get a written acknowledgment that they received it. However, it may be prudent to still have them do so.

What’s a Notice of Privacy Practices (NPP)?

An NPP is a document that clearly states your clients’ rights regarding their health information. 

It explains how health information can be used and disclosed, how your practice protects it, and how your clients can access it.  


2023 HIPAA checklist

Prepare for 2023 HIPAA changes now

Once the final rule is published, you’ll have a grace period in which to make the required changes. At this time, it sounds like that period will be 180 days, but that could change. 

Enter your information below, and we’ll send you an email as soon as the new Privacy Rule goes into effect.

Here’s what you can do now to make sure you’re prepared. 

Make sure your clients have a private area 

Your clients will need to be able to take photos and notes of their protected health information (PHI) comfortably. Think through the process of how this might work in your office. Your clients need privacy, but you may also want to be present during the review. Records may need to be separated or redacted, and you’ll need to figure out how to do that in a timely fashion. All practices are unique. Going through possible scenarios now will allow you to troubleshoot the process before the rule is in effect.  

Private Health Record Viewing

Update your workflow 

You’ll need to handle requests for information in a timely manner. Fifteen days is plenty of time to reply to clients’ record requests if you’re organized and have a process in place. Write out a plan so you can send your records out with time to spare. 

Here’s a simple plan that you can use to get started:


How you can honor a records request within 15 days

15-day workflow

Post updated fee schedules for PHI access on your website 

Although there are individual state laws governing how to determine your fees, HIPAA has the final say on the matter. HIPAA requires that your fees must be reasonable and cost-based. You can read more about what this means here

“HIPAA has put provisions in place to try to ensure that no one is unable to access their medical records due to financial hardship. If there’s a conflict between the state law and HIPAA, the HIPAA rule prevails.”

Steve Youngman, Vice-President of Legal, Hushmail

Identify where you’ll update your Notice of Privacy Practices

It’s a good idea to review your NPP annually. And you can add planning for updates to the process. Wait to make your changes, but go ahead and draft what you plan to include and decide where you’ll put it. 

Train staff to handle the changes

The changes you’ll need to make are relatively simple, but don’t underestimate the education involved. If you have office staff, they’ll need to be informed of how to help clients request and view their records. This could be as simple as explaining three things:

  • Your new workflow to handle records requests
  • How clients can view their records in person in your office
  • Any fee changes and where to post them

Sign up for updates about the HIPAA Privacy Rule

The final rule is expected to be published in the first quarter of 2023. You don’t want to miss that important announcement! 

Enter your information below, and we’ll send you an email as soon as the new Privacy Rule goes into effect.

Think about your risks

When you make changes to how your practice handles PHI, you should consider the risks. This is an actual process required by HIPAA called “risk analysis.” 

The process is pretty straightforward, especially for a small practice. You identify the sensitive information that comes through your practice. Then you figure out how that information might be at risk. For example, could your computer be stolen? Or are you sending emails through a service like Gmail that isn’t very secure? 

After you determine where your sensitive information is and how it might be harmed, you figure out how to protect it. For example, you could sign up for a HIPAA-compliant email service. 

“Once you know what your most important assets are (e.g., your clients’ PHI) and how they’re vulnerable, you can take sensible steps that will help protect them.”

Steve Youngman,  Vice-President of Legal, Hushmail

Conducting a risk analysis before the updated Privacy Rule goes into effect will help identify compliance gaps that you can fix now. This will make it easier for you to apply the 2023 changes when the time comes. 

Why is the HIPAA Privacy Rule changing in 2023?

Believe it or not, it’s in the interest of making your administrative tasks easier. The HIPAA Privacy rule requires a lot and there have been many requests from practitioners to make it less burdensome. The U.S. Department of Health and Human Services (HHS) has been sorting through these requests for the past few years. They drafted changes, sought additional feedback, and now they’re about to publish the updated Privacy Rule.

Some of these changes might make things easier for you, but some might make them more difficult, at least in the short term. 

The best thing to do is learn about the changes now so you have plenty of time to prepare.

More HIPAA updates to know about in 2023

There are a few other HIPAA adjustments to consider. They could directly impact you if you're a small to medium size practice. 

The telehealth exception continues

The telehealth exception that was put in place during the COVID pandemic is remaining in place for now. This is the exception that allowed practitioners to use telehealth platforms even if they weren’t traditionally HIPAA compliant. It will remain in effect until the Secretary of the HHS declares the public health emergency is over. Then, you may be penalized for using platforms like Zoom or Facetime to provide care. Be sure to follow HHS news so you don’t miss this announcement. 

Data breach? There may be a safe harbor 

If you experience a data breach, you may qualify for a “safe harbor” if you’ve done your best in the past year to protect your clients’ information. Investigators will consider evidence that you’ve implemented security best practices in the last year and possibly reduce or waive fines.

What’s the HIPAA Safe Harbor Act?

This law says that the HHS will consider your best efforts to protect your clients' health information if there's a data breach.  Penalties may be reduced or waived and audits may be shortened.  

Hushmail helps you meet the new HIPAA requirements

As you likely already know, HIPAA laws require reliable tools. The changes to the HIPAA Privacy Rule are no exception. Fortunately, numerous organizations make it their business to help you comply. One is Hushmail for Healthcare, which provides secure email and web forms for small to medium-sized practices. Here’s how Hushmail can help you meet the new HIPAA requirements. 

Easily send your records within 15 days

Once you receive a records request, those 15 days will go by fast. You need a secure way to send the records to your clients, but the US postal service isn’t referred to as “snail mail” for nothing. Your best option is to send them electronically, but they must be sent through a HIPAA-compliant service. And that’s Hushmail for Healthcare

Organize your practice forms for easy access  

Hushmail also allows you to get all of your practice forms filled out, signed, and filed away in one place so they’re easily accessible. This helps cut down the admin time it takes to prepare health records to send out.

Help you qualify for a ‘safe harbor’ 

Hushmail is one reliable safeguard you can put in place to help you qualify for the safe harbor consideration. If you still need to get secure email and forms in place, start now. The law only applies if you can show that you’ve made efforts to secure your clients’ information for the last 12 months. 

Learn more about Hushmail for Healthcare

Similar posts