Skip to main content
Top Button
Are Changes to the HIPAA Privacy Rule on the Horizon? Are Changes to the HIPAA Privacy Rule on the Horizon?

Are Changes to the HIPAA Privacy Rule on the Horizon?

Newly proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule would, if adopted in proposed form, increase patients’ rights in accessing their protected health information (PHI) and lead to increased data access, sharing and portability. The proposed regulations are intended, according to the U.S. Department of Health and Human Services Office of Civil Rights (OCR), the agency issuing the proposed regulations, to reduce regulatory burdens on the health care industry, support individuals’ engagement in their care and to remove barriers to coordinated care. Citing a need to overcome regulatory barriers that impede the effective delivery of coordinated, value-based care, while still maintaining the privacy and security of individuals’ PHI, OCR has proposed several key amendments to the Privacy Rule, including:
  • Modifying regulatory provisions pertaining to an individual’s right to access their PHI by, in part,
    • strengthening the individual’s right to inspect their PHI in person and permitting the individual to take notes or use other personal resources to view and capture images of their PHI;
    • shortening the time a covered entity has to respond to a request by an individual to view their PHI from the current 30 days to 15;
    • reducing the identity verification burden on individuals seeking access to their PHI by prohibiting covered entities from imposing unreasonable verification measures on individuals, such as requiring notarization of requests or in-person proof of identity;
    • creating a pathway to permit individuals to direct covered entities to share electronic PHI with a third party; and
    • changing certain requirements pertaining to the fees covered entities are allowed to charge an individual to access their PHI.
  • Clarifying that the definition of “health care operations” includes all case management and care coordination activities, not just those that are population-based. According to OCR, some covered entities have not recognized individual case management and care coordination activities as being a part of the definition of health care operations, thus further limiting the use and disclosure of some individuals’ PHI.  The proposed rule would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and community-based service providers and other similar third parties that provide health-related services, helping to facilitate coordination of care and case management activities. The proposed rule would also create an express exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures, meaning that covered entities would not be subject to the minimum necessary requirement of the Privacy Rule for uses by, disclosures to or requests by a health plan or covered health care provider for care coordination and case management activities.

  • Modifying the Privacy Rule to encourage health care providers to disclose PHI when families and other caregivers of individuals are attempting to assist with health-related emergencies, substance abuse disorders, serious mental illnesses, and other circumstances in which individuals are incapacitated or otherwise unable to express their privacy preferences. The proposed modifications include:
    • replacing “exercise of professional judgment” with “good faith belief” as the standard pursuant to which covered entities would be permitted to make certain uses and disclosures in the best interests of individuals;
    • including a presumption that a covered entity has complied with the good faith requirement, absent evidence that the covered entity acted in bad faith; and
    • expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable” instead of the current standard which requires a “serious and imminent” threat to health or safety.
  • Changing certain requirements regarding the Notice of Privacy Practices (NPP), including eliminating the requirement that covered entities obtain a written acknowledgement of receipt of a provider’s NPP, instead allowing the individual to discuss the NPP with a person designated by the covered entity, and by modifying some of the content requirements of the NPP in order to clarify individuals’ rights with regard to their PHI and how to exercise those rights.
The OCR has requested feedback on these and other proposed modifications to the Privacy Rule, with comments due by March 22, 2021. If you have any questions about the proposed regulations or other HIPAA related questions, please contact Margaret Emmert at or (317) 236-2169.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized