RELATED: HIPAA Privacy Rule Changes Coming in 2023: Five Steps to Prepare (May 3, 2023)
January 21, 2021, the Department of Health and Human Services (HHS) published
proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and the Health Information Technology for Economic and Clinical Health Act
of 2009 (HITECH).
The proposed rule is part of HHS’
Regulatory Sprint to Coordinated Care, which seeks to promote value-based
healthcare by examining federal regulations that impede efforts among
healthcare providers and health plans to better coordinate care for
patients. Specifically, HHS aims to amend the regulations implemented
pursuant to HIPAA and HITECH where the rules present barriers to
coordinated care and case management or where they otherwise impose burdens
on covered entities that do not increase individuals’ privacy protections.
- If HHS finalizes the proposed rule, HIPAA covered entities (including hospitals, physicians and other healthcare
providers, payors and insurers) and business associates will be required to
update their policies, procedures, security standards, notices of privacy
practices (NPP), authorization and disclosure forms, and business associate
agreements, among other things, to reflect the modifications made by the
- The proposed rule would give providers more flexibility in disclosing
protected health information (PHI) to provide care to their patients,
including encouraging providers to engage in a greater degree of care
- Covered entities interested in providing comments to the proposed rule
must submit them on or before March 22, 2021.
Key Proposed Changes
Removes Patient Acknowledgement of NPP. The proposed rule would eliminate the requirement that a covered
entity obtain an individual’s signature or acknowledgment of receipt of
the NPP. Instead, the proposed rule would replace this requirement with
an individual’s right to discuss the NPP with a person designated at
the covered entity.
The proposed rule also would modify the content of the NPP. The
modifications would include revising the NPP header to include information
on how individuals can access their health information, file a HIPAA
complaint and contact a designated individual to ask questions.
Revises Minimum Necessary Standard. HHS proposed removing the minimum necessary requirement when healthcare
plans or providers make disclosures for care coordination and case
management at the individual level. For example, when a health plan
requests that a healthcare provider disclose an individual’s PHI for
care coordination to facilitate an individual’s participation in the
plan’s wellness program, the healthcare provider could disclose the PHI
without analyzing whether the disclosure meets the minimum necessary
Allows for Disclosures Related to Care Coordination and Case
Management. The proposed rule would clarify that covered entities may disclose
PHI to entities that coordinate “ancillary and health-related”
services. These ancillary and health-related services could include
social services agencies, community-based organizations, home- and
community-based service providers, and other similar third parties that
provide health-related services to specific individuals for
individual-level care coordination and case management. HHS believes
this change would facilitate greater wraparound support for
individuals, particularly when it is difficult to contact an individual
for authorization (e.g., when the individual is homeless).
Broadens Allowable Disclosures for Health Emergencies. HHS proposed broadening the allowed disclosure of PHI for the care and treatment of
individuals experiencing substance abuse disorders, serious mental
and other health emergencies. Specifically, if the proposed changes are
finalized, covered entities would be permitted to disclose PHI if there
is a “serious and reasonably foreseeable threat” instead of the current
standard of a “serious and imminent threat.” Further, the proposed rule
would replace “exercise of professional judgment” with “good faith
belief” as the standard for when covered entities need to disclose PHI
in the best interest of individuals.
Expands Individuals’ Rights to Access Their PHI. The proposed rule would strengthen individuals’ rights to access
their own PHI by expanding how individuals can retrieve their PHI and
decreasing the time allotted to covered entities to respond to
individuals’ requests for their PHI. HHS proposed allowing individuals
to take notes, videos and photographs, and use other personal resources
to view and capture PHI as part of their right to inspect PHI in
person. HHS noted, however, that it would not expect a covered entity
to tolerate unacceptable security risks, such as allowing individuals
to connect a thumb drive to the covered entity’s information system.
HHS also proposed to modify the longstanding access rules to require
covered entities to provide individuals with access to their PHI “as soon
as practicable,” but in no case later than 15 days, with the possibility of
one 15-day extension. The 15-day deadline would replace the current 30-day
deadline with one 30-day extension. Regardless, covered entities should
always review applicable state law, as many states impose shorter time
limits for granting individuals’
access to their PHI.
Modifies Fees Charged for Access to PHI. The proposed rule would clarify when PHI must be provided to
individuals at no charge and amend the fee charged when a covered
entity responds to an individual’s request to direct records to third
parties. The proposed rule would also require covered entities to post
fee schedules on their websites and, upon request, provide
individualized fee estimates and itemized bills in response to an
individual’s request for copies of his or her PHI.
Adds Definitions for Key Terms. HHS proposed adding definitions for “Electronic Health Record” (EHR) and
“Personal Health Application.” These definitions may impact how HIPAA
applies to EHRs and applications that individual patients use to share
McGuireWoods will continue to monitor the proposed rule. For additional
information on privacy and security of health information and HHS’ Regulatory Sprint to Coordinated Care, see McGuireWoods’ previous alerts and insights.