iQoncept - Fotolia

HHS proposes changes to HIPAA privacy rule

HHS wants to modify the HIPAA privacy rule to encourage better care coordination and make it easier for patients to access their health data.

The U.S. Department of Health and Human Services is proposing modifications to the HIPAA privacy rule, which comes just months after it passed a new regulation requiring health systems to provide API access to third-party applications.

The proposed HIPAA changes address privacy and security standards that impede a patient's ability to access personal health data and hamper healthcare's transition to value-based care, a model focused on value and quality of care.

"Our proposed changes to the HIPAA privacy rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long," HHS Secretary Alex Azar said in a news release.

The HIPAA privacy rule outlines data privacy and security provisions for safeguarding patients' medical records and protected health information (PHI), but it hasn't been significantly updated since 2013. As technology for data sharing has advanced, healthcare stakeholders have called for HIPAA to keep pace.

Proposed HIPAA changes

On Thursday, HHS issued a Notice of Proposed Rulemaking, a legal notice of a potential change in law. HHS stated it wants, most notably, to "increase permissible disclosures of PHI" through the proposed HIPAA changes.

Kirk Nahra, a data privacy and cybersecurity expert and partner at Wilmer Cutler Pickering Hale and Dorr LLP in Washington, D.C., said improving patient access to data and increased data sharing are the two biggest focuses of the proposed HIPAA changes.

"HIPAA is pretty permissive on a lot of stuff, and I think what this is doing is making it clearer and more obvious that people can share," Nahra said.

The proposed changes to HIPAA could increase a patient's rights to takes notes or photos of their PHI in person, simplify the identity verification process for patients looking to access their PHI, and shorten the amount of time a covered entity has to respond to a request for PHI from 30 to 15 days.

Kate Borten, a data privacy and security expert, said the proposed HIPAA changes provide much-needed clarity on giving patients access to their data, particularly by shortening the window of time healthcare systems can take to provide patient data once it's requested.

"The proposal notes that some providers currently only contact patients with questions as the 30-day time frame draws near, and then assume the clock starts ticking after all questions are resolved," she said. "The proposal makes clear that the 15-day window begins when the patient submits the request for a copy."

To increase coordinated care, the proposed modifications clarify when a covered entity can share PHI with an organization not covered by HIPAA such as a social service agency or a community-based organization.

Nahra said the proposed HIPAA changes indicate that federal regulators want to better align the healthcare regulation with the expanding definition of caretakers involved in a patient's healthcare journey.

"If you went to the hospital and a doctor said, 'She doesn't have enough food, we want to get her food,' this rule is designed to make it easier for the hospital to share information about you with the food bank," he said.

Aligning patient data access goals with data protection

Matthew Fisher, partner and chairman of the health law group at Mirick, O'Connell, DeMallie & Lougee LLP in Boston, said the proposed HIPAA changes align with overall efforts by HHS to increase patients' access to their health data, particularly with the recently finalized information blocking and interoperability rules from the Office of the National Coordinator for Health IT and the Centers for Medicare & Medicaid Services that aim to make accessing healthcare data easier through APIs.

Going forward, Fisher said federal regulators and the healthcare community will have to walk a fine line between flexible data sharing and data protection.

"There is still this delicate but necessary balancing of respecting privacy interests of individuals, but at the same time enabling the information to be utilized for the individual's benefit without necessarily having to always go back and get permission," he said.

Stakeholders have 60 days to comment on the proposed HIPAA changes.

Dig Deeper on Risk management and governance