HHS proposes overdue changes to HIPAA privacy rule

When access to healthcare services is fragmented – changing depending on plan types, insurance companies, and much more – patient care can suffer. That’s a problem that a new proposal from the Department of Health and Human Services hopes to address.
HIPAA privacy

On January 21, 2021, the Federal Register published a rule outlining proposed changes to the Privacy Rule within the Health Insurance Portability and Accountability Act (HIPAA). It would reduce administrative and regulatory burdens on providers while increasing patients’ ease of access to their medical records.  

Submitted by the Department of Health and Human Service’s (HHS’s) Office of Civil Rights (OCR), the rule is open for public comments until March 22, 2021.  

To ease access to telehealth services for Medicare recipients during COVID-19, HHS relaxed its enforcement discretion around certain parts of the Privacy Rule earlier this year. However, many private payers did not follow suit. The OCR’s proposal universalizes HHS’ action, which notably removed requirements that providers obtain and store a Notice of Privacy Provisions (NPP) for every patient for six years. Instead, providers could use a modified NPP to meet compliance requirements for telehealth visits.  

While the rule from OCR addresses many issues around patient access and the use of Protected Health Information (PHI) in care coordination, questions remain as to the potential misuse of sensitive PHI given the relaxed rules. 

Indeed, more than 20 years have passed since HIPAA was enacted in 1996 to both protect the rights of consumers in group health plans and establish safeguards to prevent theft and fraud of PHIFrom 2003 to 2013, the transition from paper to electronic medical records presented new security and privacy issues, requiring continuous updates – now collectively known as the HIPAA Privacy Rule – to address these new challenges. Today’s rapid adoption of telehealth services only heightens the importance of such updates. 

The Privacy Rule established safeguards for PHI; codified a minimum necessary standard to limit inappropriate access, use, or disclosure of PHI; and defined compliance requirements for providers who maintain PHI. However, it puzzlingly did not ensure patient access to their own medical information. Confusion about the rule has also limited its use in care coordination and case management activities integral to value-based care. 

To address this, OCR took action on December 10, 2020. Driven by a 2018 Request for Information that explored how changes to HIPAA could better support patient access and value-based care, OCR then issued a formal Notice of Proposed Rulemaking entitled Proposed Modifications to the HIPAA Privacy Rule to Support and Remove Barriers to Coordinated Care and Individual Engagementthe foundation of January’s proposed rule. In addition to NPP relaxation, it addresses two key areas: 

1. Ensuring patient access to health information 

Covered entities, including providers and health plans, would need to comply with the following requirements to ensure patient access to PHI: 

  • Response timeliness: Responses to a request for PHI must occur within 15 calendar days, and extensions for a request are limited to 15 calendar days. 
  • Right of access: Individuals can inspect PHI in person and use personal resources, such as note taking or capturing images on a mobile phone. 
  • Third party directives: Healthcare providers and health plans must provide electronic copies of PHI to another healthcare provider at the patient’s request. 
  • Fee limitations: No fee can be charged for access to PHI in person or by use of internet-based methods to view or obtain a copy of electronic PHI maintained by or on behalf of the provider or health plan. Only reasonable cost-based fees for non-electronic copies of PHI, or electronic copies of PHI directed to a third party, are permissible. 
  • Identity verification: Burdensome identification verification or notarization requirements are prohibited to access PHI. 

 2. Increasing availability of PHI for care coordination and case management 

The proposed rule establishes an exception to the minimum necessary standard for the use of PHI for: 

  • Individual level care coordination 
  • Case management activities 
  • Health-related social services social and community-based services provided by third parties 
  • Patients in an imminent or foreseeable emergency or health crisis 

OCR is expected to publish a final rule in 2021 that will support the information interoperability and patient access provisions of the 21st Century Cures CMS and ONC Interoperability rules. For more on the 21st Century Cures Act, click here

Ideas are meant for sharing.

Sign up today and have Ideas delivered straight to your inbox.

Latest Ideas​

Article
Discover how clinical terminology serves as the Rosetta Stone of health IT, influencing everything from documentation to billing and beyond.
Article
Learn how incorporating LLMs into value set creation optimizes clinical workflows, boosts accuracy, and enables scalable, clinically relevant management.
Webinar
In this webinar, we partner with AllClear ID to discuss their new solution, Health Bank One™, which combines a patient’s medical records with AI...