On December 10, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a press release, fact sheet, and an unpublished proposed rule announcing intended changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.[1] The proposed changes follow a request for information from December 14, 2018 and support the Department’s Regulatory Sprint to Coordinated Care and its Right of Access initiative.[2],[3] They also align with other recent health information technology efforts to improve the sharing of health information, empower individuals with their own health information, and remove unnecessary administrative burdens on health care providers and health plans. One particular media outlet characterized the proposed rule as such: “HIPAA changes shift the mindset from protecting to sharing health information.”[4]
Comments on this proposed rule are due 60 days after publication in the Federal Register.
Modifications to Improve Access and Coordination
The rule proposes to modify the Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule,[5] which is part of a collection of rules known as the HIPAA rules. These modifications aim to enhance care coordination by improving the appropriate access to protected health information (PHI) by patients, caregivers, providers, and health plans:
- Allowing individuals to inspect their PHI in person and take notes or capture images of these records;
- Requiring covered entities[6] to provide requested PHI within 15 days instead of the current 30 days;
- Creating a pathway for individuals to direct the sharing of PHI in the Electronic Health Records (EHR) among healthcare providers and health plans and requiring them to respond to record requests;
- Specifying when electronic PHI must be provided to an individual at no charge;
- Requiring HIPAA-covered entities to post a fee schedule on their websites for PHI access and disclosures and provide estimated fees for an individual’s request for copies of PHI; and
- Eliminating the requirement to obtain an individual’s written acknowledgement of receipt of a provider’s Notice of Privacy Practices (NPP).
The proposed rule also:
- Requires covered entities to inform individuals that they have the right to obtain a copy of their PHI when a summary is offered instead;
- Reduces the identity verification requirements to obtain access to their PHI;
- Requires individuals directing PHI to a third party to do this electronically;
- Amends the definition of health care operations to clarify the scope of permitted use and disclosures for individual-level care coordination;
- Modifies the “minimum necessary” standard, which currently limits the ability to share PHI, to promote uses and disclosures of PHI for care coordination and case management when requested by or disclosed to a health plan or covered health provider;
- Clarifies what PHI covered entities may disclose to social service agencies, community-based organizations, home and community-based service (HCBS) providers, and other third parties;
- Allows an entity to disclose PHI if, in good faith, it determines it is in the best interest of the individual, replacing the current privacy standards;
- Expands the ability of covered entities to disclose PHI to avert a threat to health or safety;
- Expressly permits disclosure of PHI to Telecommunication Relay Services (TRS);
- Expands Armed Forces permission to use or disclose PHI to all uniformed services; and
- Adds definitions for the terms electronic health record (EHR) and personal health application.
Covered Entities Have Until Compliance Date to Implement Policies
Though the effective date of the final rule is 60 days after publication in the Federal Register, covered entities and business associates must comply with the applicable new or modified standards and implement the new specifications no later than 180 days from the effective date.
[1] Which implements provisions of the Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191]
[2] The Regulatory Sprint seeks to promote value-based health care by updating federal regulations that unnecessarily impede efforts among health care providers, health plans, and other service providers to better coordinate care for individuals.
[3] https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
[4] https://www.modernhealthcare.com/law-regulation/hipaa-changes-shift-mindset-protecting-sharing-health-information
[5] The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
[6] Covered entities (including health plans, clearinghouses, and certain health care providers) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions.