Summary of Provisions in Proposed Modifications to the HIPAA Privacy Rule

Summary of Provisions in Proposed Modifications to the HIPAA Privacy Rule

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) recently announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that is said to support individuals' engagement in their healthcare, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry.

We have been reviewing the Proposed Rule and have extracted the following major provisions that could be modified in the HIPAA Privacy Rule. The key points are in bold and how they could impact the day-to-day operations of healthcare organizations are underlined. We encourage healthcare organizations to carefully review each of these proposed modifications and consider providing comments on them.

In our opinion, depending on what happens with comments and changes in government (such as HHS) in 2021, will determine whether these proposed changes are further modified. Some of the modifications will be welcomed (e.g., no longer requiring a signed acknowledgment of receipt of Notice of Privacy Practices), while others may prove to be more challenging for healthcare providers (e.g., the shortened response time to no later than 15 calendar days from the current 30 days).

Adding definitions for the terms electronic health record (EHR) and personal health application - currently, the Privacy Rule does not define the term "electronic health record" or "personal health application.

Modifying provisions on the individuals' right of access to PHI by:

  • strengthening individuals' rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
  • shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);

  • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual's valid authorization and, upon request, provide individualized estimates of fees for an individual's request for copies of PHI, and itemized bills for completed requests Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.

  • amending the permissible fee structure for responding to requests to direct records to a third party; and

  • specifying when electronic PHI (ePHI) must be provided to the individual at no charge;

  • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;

  • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;

  • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual's access request to another health care provider and to receive back the requested electronic copies of the individual's PHI in an EHR;

  • reducing the identity verification burden on individuals exercising their access rights;

  • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;

  • clarifying the form and format required for responding to individuals' requests for their PHI;

Creating an exception to the "minimum necessary" standard for individual-level care coordination and case management uses and disclosures.

The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or healthcare operations.

  • Clarifying the scope of covered entities' abilities to disclose PHI to social services agencies, community-based organizations, home, and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their "professional judgment" with a standard permitting such uses or disclosures based on a covered entity's good faith belief that the use or disclosure is in the best interests of the individual.

The proposed standard is more permissive in that it would presume a covered entity's good faith, but this presumption could be overcome with evidence of bad faith.

  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when harm is "serious and reasonably foreseeable," instead of the current stricter standard which requires a "serious and imminent" threat to health or safety.
  • Eliminating the requirement to obtain an individual's written acknowledgment of receipt of a direct treatment provider's Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deafblind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

OCR mentioned they carefully considered the extent to which each proposed modification would impact privacy protections compared to the likely benefit of making PHI more available for coordination of care or case management.

Comments Encouraged

OCR is encouraging comments from all stakeholders, including patients and their families, HIPAA-covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities. Comments can be submitted at

Proposed Effective Date

The effective date of a final rule would be 60 days after publication.

Covered entities and their business associates would have until the "compliance date" to establish and implement policies and practices to achieve compliance with any new or modified standards.

Important to note that if finalized, covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.