Is Change Coming to the HHS Privacy Rule?

Recently, the Department of Health and Human Services (HHS), the agency that creates and enforces HIPAA regulations, proposed to modify the HIPAA Privacy Rule. The proposed modifications are contained in a Notice of Proposed Rulemaking (NPRM). Individuals have 60 days to comment on the proposed changes. HHS will consider these comments in deciding whether to make its proposed change final. The proposed HHS Privacy Rule change is discussed below.

Is Change Coming to the HHS Privacy Rule? Purpose of HHS’ Proposal

As part of HHS’ Regulatory Sprint to Coordinated Care Initiative, the Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Privacy Rule. The proposed changes seek to:  

  • Support individuals’ engagement in their care;
  • Remove barriers to coordinated care; and reduce regulatory burdens on the healthcare industry; and
  • Remove obstacles to patients’ right to access their own health information.

The proposed changes seek to promote the concept of “value-based care.”  Under this concept, HHS seeks to remove regulations it believes stand in the way of innovation and care coordination.

HHS Privacy Rule

The proposed changes to the HHS Privacy Rule include:

  • Strengthening individuals’ rights to access their own health information, including electronic information; 
  • Improving information sharing for care coordination and case management for individuals; 
  • Facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; 
  • Enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and 
  • Reducing administrative burdens on HIPAA covered healthcare providers and health plans, while continuing to protect individuals’ health information privacy interests.

Is Change Coming to the HHS Privacy Rule? Proposed Changes to the Right of Access Rule

HHS has proposed to substantially modify the HHS Privacy Rule right of access provision. The proposed modifications include:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • Clarifying the form and format required for responding to individuals’ requests for their PHI;
  • Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
  • Reducing the identity verification burden on individuals exercising their access rights; 
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered healthcare providers and health plans, by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access;
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
  • Requiring providers to specify when electronic PHI (ePHI) must be provided to the individual at no charge;
  • Amending the permissible fee structure for responding to requests to direct records to a third party; and
  • Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

OCR encourages comments to its proposal to amend the HHS Privacy Rule. Comments are encouraged from all stakeholders, including patients and their families, HIPAA covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities.