WANAN YOSSINGKUM/istock via Gett

HHS Proposes HIPAA Privacy Rule Changes, Improving Right of Access

HHS OCR released a set of proposed changes to the HIPAA Privacy Rule, which would bolster individuals’ right of access, reduce regulatory burden, and support care coordination.

The Department of Health and Human Services Office for Civil Rights released a set of proposed changes to the HIPAA Privacy Rule, which take aim at Right of Access rules and are designed to reduce regulatory burden, improve care coordination, and better support patient engagement.

The Notice of Proposed Rulemaking is part of the HHS Regulatory Sprint to Coordinated Care, launched in support of value-based care. The initiative is focused on examining federal regulatory requirements that could impede care coordination efforts between providers.

The latest HHS proposal includes strengthening a patient's right to access their own health information. HHS has prioritized the HIPAA Right of Access rule in 2020, issuing a dozen enforcement actions in the last year.

Data has shown many covered entities struggle to comply with the HIPAA regulation, despite improvements made over the last year.

Some of the HHS proposed changes are designed to address these issues, in addition to modifying the rule to better facilitate caregiver and family involvement in care of those facing health crises or emergencies, as well as more flexibility for disclosures made in emergency or threatening circumstances, such as those related to COVID-19 or opioid abuse.

Lastly, the proposal also aims to reduce administrative burdens on HIPAA-covered entities and health plans, while strengthening privacy protections around protected health information.

“These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA’s promise of privacy and security,” said HHS Deputy Secretary Eric Hargan, in a statement.

“As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health,” HHS Secretary Alex Azar, said in the release.

Specifically, the proposed changes will add definitions for the terms electronic health records and personal health applications, while modifying provisions on the individuals’ right of access to PHI.

Those modifications include strengthening the right to inspect PHI in person, including taking notes or using other resources to view and capture images of their PHI.

Further, it would shorten the required response time for covered entities from the current 30-day limit, to no later than 15 calendar days, with an opportunity for an extension of no more than 15 calendar days. Covered entities are currently allowed to ask for an extension of up to 30 days.

The changes will also clarify the form and format required to respond to individuals’ PHI request and requires covered entities to inform patients that they retain the right to obtain or direct copies of PHI to a third party, “when a summary of PHI is offered in lieu of a copy.”

HHS is also proposing the reduction of the identity verification on individuals exercising their right to access their PHI, along with creating a pathway “for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans.”

Under the proposal,covered health care providers and health plans would be required to submit “an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.”

The change would also limit the individual right of access to direct transmission of PHI to a third party via electronic PHI copies in an EHR.

Also notable, HHS proposes “replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘professional judgment’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual.”

“The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith,” according to the proposal.

The proposal contains a host of other suggested modifications, for which industry stakeholders can provide feedback via mail or through the Federal eRulemaking portal within the next 60 days.

Next Steps

Dig Deeper on HIPAA compliance and regulation