Proposed Changes to HIPAA Privacy Rule for 2021 Announced by HHS

Recently, the Department of Health and Human Services (HHS), the agency that creates and enforces HIPAA regulations, proposed to modify the HIPAA Privacy Rule. The proposed modifications are contained in a Notice of Proposed Rulemaking (NPRM). Individuals have 60 days to comment on the proposed changes. Comments are due by May 6, 2021. HHS will consider these comments in deciding whether to make its proposed change final. The proposed changes to HIPAA are discussed below.

The Purpose of the Proposed Changes to HIPAA Privacy Rule for 2021

As part of HHS’ Regulatory Sprint to Coordinated Care Initiative, the Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Privacy Rule.

Proposed Changes to HIPAA Privacy Rule

The proposed changes seek to:  

  • Support individuals’ engagement in their care;
  • Remove barriers to coordinated care; 
  • Reduce regulatory burdens on the healthcare industry; and
  • Remove obstacles to patients’ right to access their own health information.

The proposed changes seek to promote the concept of “value-based care.” Under this concept, HHS seeks to remove regulations it believes stand in the way of innovation and care coordination.

The proposed changes to the HIPAA Privacy Rule include the following.

Reducing Identity Verification Burdens

Reducing identity verification burdens on individuals exercising their access rights. Under the proposed changes, providers and health plans would be required to submit individual access requests to another provider, and to receive back the requested electronic copies of the individual’s PHI in an electronic health record (EHR). Providers and health plans would be required to respond to certain records requests received by other providers and health plans when directed by individuals under the right of access.

Improving Information Sharing

Improving information sharing for care coordination and case management for individuals. This improvement would be made by making an exception to the “minimum necessary” standard. Under the proposed changes, covered entities need not limit uses and disclosures of PHI to the minimum necessary to accomplish the purpose of each use or disclosure, WHEN the use by, disclosure to, or request by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or healthcare operations.

Disclosure of PHI to Third-parties

Expansion of the scope of covered entities’ ability to disclose PHI to third-parties (social services agencies, community-based organizations, home and community-based service providers) that provide health-related services in order to facilitate coordination of care and case management for individuals.

Disclosures Based on Professional Judgment

Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard that permits such uses or disclosures based on a covered entity’s good-faith brief that the use or disclosure is in the best interests of the individual.

Disclosures to Prevent Threat to Health or Safety

Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety. This expansion would give providers greater latitude in deciding when to disclose PHI in emergency or life-threatening circumstances, such as the opioid and COVID-19 public health emergencies.

Notice of Privacy Practices

  • Elimination of the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices.
  • Modification of the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.

Reducing Administrative Burdens

Reducing administrative burdens on HIPAA covered healthcare providers and health plans, while continuing to protect individuals’ health information privacy interests.

Proposed Changes to HIPAA Privacy Rule and the Right of Access

Proposed changes to HIPAA include a significant revision of the HIPAA Privacy Rule’s right of access provision. The proposed changes to HIPAA include:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • Clarifying the form and format required for responding to individuals’ requests for their PHI;
  • Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third-party when a summary of PHI is offered in lieu of a copy;
  • Reducing the identity verification burden on individuals exercising their access rights; 
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered healthcare providers and health plans, by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access;
  • Limiting the individual right of access to direct the transmission of PHI to a third-party to electronic copies of PHI in an EHR;
  • Requiring providers to specify when electronic PHI (ePHI) must be provided to the individual at no charge;
  • Amending the permissible fee structure for responding to requests to direct records to a third-party; and
  • Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

OCR encourages comments to its proposed changes to HIPAA. Comments are encouraged from all stakeholders, including patients and their families, HIPAA covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities.