We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.
In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.