Newly Proposed Modifications to the HIPAA Privacy Rule in 2021

by Stephen Trout of HIPAA Vault

HIPAA regulations are headed for a much-needed update, designed to give patients greater access to and control over their own health information.

In a world where the sharing of online, personal information has come under increasing scrutiny, newly proposed modifications to the HIPAA Privacy Rule are now being formally discussed.

The proposed changes for the sharing of medical data are welcome since, ironically, healthcare patients seem to have less access and control of their own data as compared to many of their providers.

Prior to this year, the most recent changes to the HIPAA Privacy Rule came in 2013 for the HITECH act. However, as with many public emergency scenarios, this past year has seen appropriate leniency in Privacy Rule enforcement due to COVID-19, with penalties and sanctions waived where good faith efforts for privacy have been maintained. (This extends to telehealth communications on a non-HIPAA compliant platform, disclosures for the benefit of public health, potential disclosures at mobile testing sites, and online scheduling of vaccination appointments).

This past December, however, a number of permanent modifications were proposed by the Office of Civil Rights (OCR), the agency of the Department of Health and Human Services that oversees HIPAA regulations.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

The changes — as summarized here by the HIPAA Journal- include the following:

1. Strengthening individuals’ rights to inspect their PHI in person. This includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
2. Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days).
3. Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
4. Individuals will be permitted to request their PHI be transferred to a personal health application.
5. States when individuals should be provided with ePHI at no cost.
6. Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
7. HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
8. HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
9. Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
10. Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
11. The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy practices has been provided has been dropped.
12. Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
13. Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
14. The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
15. The definition of healthcare operations has been broadened to cover care coordination and case management.
16. The Armed Force's permission to use or disclose PHI to all uniformed services has been expanded.
17. A definition has been added for electronic health records.

As of March 9, 2021, the Office for Civil Rights (OCR) announced that a 45-day extension of the public comment period is in effect for the Notice of Proposed Rulemaking (NPRM) in order to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The new deadline for the public to submit comments is now May 6, 2021.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.