On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI.

Some of the proposed changes affect individuals’ right of access to PHI by, among other things, strengthening their right to inspect their PHI in person by allowing them to take notes or use other personal resources to view and capture images of their PHI, reducing the identity verification burden on those exercising their access rights, and creating a pathway for individuals to direct the sharing of PHI in an electronic health record (EHR). The proposed changes address areas of the Privacy Rule, including in particular the right of access, that have been the subject of enforcement scrutiny and litigation in recent years (see, e.g., recent articles here, here, and here).

HHS also proposes shortening covered entities’ current 30 calendar day response time to give individuals access to their PHI to a maximum of 15 calendar days with a potential a 15-day extension (currently, a 30-day extension is permitted). The proposed rule clarifies the form and format required for responding to such requests for access, and specifies when electronic PHI must be provided to individuals at no charge. In addition, the proposed rule amends the permissible fee structure for covered entities to respond to requests to direct records to a third party, and would require covered entities to post estimated fee schedules on their website for access and for disclosures with an individual’s valid authorization. Upon request, covered entities would be required to provide individualized estimates of fees for an individual’s request for copies of PHI, and to provide itemized bills for completed requests. The proposed modifications also would eliminate the requirement of obtaining a patient’s written acknowledgment of receiving a provider’s Notice of Privacy Practices.

The HHS rule proposes to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute “health care operations” by proposing to amend the definition of that term. HHS also proposes to create an exception to the “minimum necessary” standard for uses by, disclosures to, or requests by a health plan or covered health care provider for care coordination and case management activities. The proposed rule also seeks to clarify the abilities of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services, in furtherance of the coordination and management of individuals’ care. HHS also proposes to replace the privacy standard currently permitting covered entities to make certain uses and disclosures of PHI based on “professional judgment” with one based on a good-faith belief that the use or disclosure is in the best interests of the individual. Finally, HHS proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).

HHS seeks comments by interested parties including patients, HIPAA covered entities and business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities. Comments are due within 60 days after the proposed rule is formally published in the Federal Register (which is expected to occur in the coming days), and can be submitted electronically or by mail to HHS. Given the upcoming change in administration, the significant updates proposed by HHS in this proposed rule, as well as the comments that will be received from industry stakeholders, it is likely the proposed modifications will be the subject of significant analysis and potential changes before HHS takes steps to finalize.

Photo of Conor Duffy Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health…

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.