Health Law Monitor
HHS Proposes Modifications to The HIPAA Privacy Rule
December 11, 2020
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposed updates aim to give patients more access to their health information and improve coordinated care, while also ensuring that patients are afforded privacy and security under HIPAA. These proposed changes come as no surprise with the Trump Administration’s efforts to empower patients with greater access to their health information. Furthermore, the changes support HHS’s Regulatory Sprint to Coordinated Care to promote value-based health care by eliminating regulatory barriers blocking patients from getting better care. The proposed changes include:
- Strengthening individuals’ rights to access their own health information, including electronic information;
- Improving information sharing for care coordination and case management for individuals;
- Facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises;
- Enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and
- Reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
It is apparent that the proposed changes focus on strengthening and confirming individuals’ rights to access their protected health information (PHI). For example, individuals will be able to take notes and use other personal resources to view and capture images of their PHI. The identity-verification burden on individuals exercising their rights also will be reduced. Additionally, the proposed changes modify reduce the time period in which providers have to respond to an access request to PHI by an individual from thirty (30) days to fifteen (15) days. Furthermore, the changes propose removing requirement for providers to capture an acknowledgment of the receipt of the Notice of Privacy Practices. Individuals clearly will reap the benefits of the proposed changes, but these efforts also are purported intended to reduce administrative burdens on providers as well.
Public comments on the proposed changes are encouraged by the OCR and will be due 60 days after publication in the Federal Register.