HHS Issues Proposed Modifications to HIPAA Privacy Rule
On December 10, 2020, HHS released a proposed rule that modifies the HIPAA privacy rules. The proposed rules come after HHS issued a 2018 Request for Information on how HIPAA could be modified to support healthcare coordination. As a result of the comments received, HHS is seeking to amend HIPAA’s privacy regulations in a way that removes barriers to coordinated care and reduces regulatory burdens on the healthcare industry.
The proposed rules make many changes to individuals’ right to access their PHI. Specifically, the rule would allow individuals to use their own electronic devices to access their PHI, and that electronic access would need to be provided to the requestor free of charge. It would also shorten the period of time that covered entities have to respond to requests for access to 15 days (from the current 30-day timeframe). Additionally, any fees related to accessing PHI would need to be posted on covered entities’ websites.
The proposed rules also add additional context to the disclosures that can be made without the need for patient authorization. As background, HIPAA allows disclosures for treatment and healthcare operations to be made without the individual’s authorization. The proposed rule includes care coordination and case management activities within the definitions of “treatment” and “health care operations.” The proposed rule also allows for covered entities to disclose PHI to various social service agencies, community-based organizations, home and community based service providers, and other similar third parties to facilitate coordination of care and case management.
In order to assist individuals in special situations, the proposed rules also allow for covered entities to make certain disclosures when there are emergency circumstances if there is a serious and reasonably foreseeable threat to health and safety. The rule also allows covered entities to make disclosures based on their good faith belief that the disclosure would be in the best interest of the individual (replacing their "professional judgment” as the standard).
Finally, the proposed rule removes the requirement for individuals to acknowledge receipt of the notice of privacy practices in writing. This change will likely ease the administrative burden on care providers.
There will be a 60-day comment period beginning on the date the proposed rule is published in the Federal Register. Since the proposed rule is a part of the Trump administration’s “Regulatory Sprint to Coordinated Care,” and because the rule would potentially be finalized after the start of the Biden administration, it’s hard to know how the rule will proceed through the administrative process. We will continue to report on this rule in Compliance Corner.
Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement »