As healthcare providers dedicated to patient well-being, chiropractors need to be aware of the significant updates to the HIPAA Privacy Rule that took effect on June 25, 2024. These changes focus on protecting sensitive reproductive health information and have substantial implications for our practices. Compliance is not optional; you must align your operations with these requirements by December 23, 2024, to avoid severe ​penalties. (See 89 FR 32976 for details.)

The stakes are high with the OCR rolling out immediate, random audits across all healthcare sectors, including chiropractic offices. Every chiropractor needs to be audit-ready. Failure to adhere to HIPAA and related compliance laws could result in significant penalties and legal ramifications and harm our established reputation as reliable professionals. As chiropractors, we understand that our patients' trust is crucial, and maintaining it requires providing excellent care and strictly adhering to privacy regulations.

While HIPAA regulations can seem daunting, the true challenge lies in ensuring our compliance programs are robust enough to withstand government scrutiny. Many practices mistakenly believe they are compliant, only to discover gaps that can result in
significant issues once audits begin. We must be proactive and vigilant in our approach to HIPAA compliance.

Before discussing specific updates, it is crucial to evaluate the strength of your existing compliance program. For some chiropractors, this will mean creating a compliance program for the first time. Remember that a defensible HIPAA program is comprehensive, updated regularly, and clearly demonstrates that all necessary steps have been taken to protect patient privacy.

Here are key actions you must prioritize:

Revamp Your Business Associate Agreements (BAAs)
Your practice likely collaborates with various third-party vendors, from billing services to IT consultants, who have access to patient information. We need to secure these relationships with updated BAAs that clearly outline our partners' responsibilities in protecting sensitive data they have access to. If you haven’t reviewed your BAAs recently, now is the time. Be sure they now include precisely how you and your BAs will handle reproductive health information under the new law.

Make Critical Policy Changes to Reflect the New Reproductive Health Data Rules
Updating your compliance manual to reflect new regulations concerning reproductive health data is essential. Ensure your staff understands the changes and knows how to implement them in daily practice.

Conduct Staff Training and Document It Thoroughly
Comprehensive training is a cornerstone of compliance. Your staff team's understanding of and adherence to the new law- can be one of the most critical aspects of your defensible HIPAA compliance program. We must ensure every team member is well-informed about the latest HIPAA requirements by providing updated training sessions.

This includes:
- Regular updates during annual training sessions.
- Onboarding training for new hires within 45 days.
- Periodic security reminders to reinforce best practices.

Documenting this training is crucial as it serves as at least one proof of compliance during an audit.

Introduce a New Authorization Form
A specific authorization form for handling reproductive health information is one of the best ways to ensure compliance with the new law's requirements. This form should be clear and straightforward for patients, providing transparency about how their data will be used and protected.

Stay Updated on Changes to the Notice of Privacy Practices (NPP)
The NPP is an essential document that informs patients about how their health information will be used and protected. The new rules require we revise this document by February 16, 2026. More on this to come, but in the meantime, provide every patient an NPP and post it prominently on your website if it’s not already there – today.

As chiropractors, we strive to create an environment of trust and safety for our patients. We are in the business of healing and making people’s lives better, and in this way, we make our communities better. Adhering to HIPAA laws ensures that our practice is compliant, and we uphold our patients' confidence. In a world where data breaches and privacy violations are all too common, patients are increasingly conscious of their privacy rights. Maintaining a compliant practice shows our dedication to putting their well-being first from the moment they walk through our doors. ​

With the new regulations, you now have only 15 days to report any data breach. This means it's imperative that your breach notification policies are up to date and that your team knows exactly what to do if a breach occurs. It's urgent, and we must act fast to ensure we're on top of this requirement, as breaches never warn us.​

While reproductive health data is a significant focus of the new law, several other areas require our attention to ensure compliance. Addressing these areas will prepare our practice for any audits that may come our way:

- Mandatory Data Encryption: Encrypting patient health information (PHI) is now a requirement, not just a recommendation. This is vital to protect sensitive data at rest and during transmission.

Access Controls and Authentication: Only authorized personnel should have access to PHI, so we must implement robust access controls and reinforce our systems with strong authentication measures.

- Regular Security Risk Assessments: These assessments are more essential than ever and must be well documented. If audited, you must show proof of your risk analysis and any actions you have taken to mitigate identified risks.

- System Updates and Patch Management: Keeping our technological systems updated with the latest security patches is vital to maintaining compliance. Regularly collaborate with IT professionals to ensure all office technology is updated and secure.

Issue Immediate Staff Reminders: Don’t wait until your annual HIPAA training to update your staff. Distribute security reminders that address the new regulations right away, ensuring everyone is informed. Again, do not wait, as we can reasonably anticipate the government will have a nearly zero-tolerance policy that our entire team knows and complies with the new law.​

We must be diligent when handling patient records requests. Under HIPAA, we have a maximum of 30 days to respond. While extensions may occasionally be granted in exceptional circumstances, regularly meeting this deadline in a matter of days is crucial
to maintaining your practice's compliance. If you need more than a few days to respond to requests for records, you should also have a compelling and defensible reason for the delay that you know will hold up under intense scrutiny if and when it comes. Otherwise, do not risk it.

Adapting to the recent changes to the HIPAA Privacy Law is essential for us as chiropractors. We must follow the new rules, but it's also a chance to show our patients we take their privacy seriously. By adjusting our practices to comply with the new law in the next few months, we can prove that we're dedicated to protecting our patients' privacy while providing top-notch care to our community. Ultimately, this also means you are taking all necessary steps to protect the practice you have built and that you and your loved ones depend on.

Consulting with a HIPAA compliance expert involved directly in cybersecurity discussions with federal investigators can provide additional assurance that your policies and procedures are up to date. Now is the time to act—let's follow the new law to keep doing what we do best: helping our patients stay healthy. If you need guidance or assistance with these or any other compliance law changes, feel free to get in touch. We're here to back you up, and together, we can prepare our practices for whatever lies ahead..​

Dr. Ty Talcott, DC, CHPSE, is a highly respected healthcare compliance professional and a licensed chiropractor. As the CEO of HIPAA Compliance Services and Power Strategies, Inc., Dr. Ty has participated in the national cybersecurity symposium in Washington, D.C., and has guided numerous healthcare practices through webinars, live events, and practice management consulting. He is dedicated to protecting the chiropractic profession and empowering innovative doctors to safeguard their practices against complaints, errors, cyberattacks, and government audits.​

Drtythecomplianceguy.com | ty.talcott@gmail.com | (469) 371-8804