HHS Issues Proposed Changes to the HIPAA Privacy Rule

On December 10, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify the HIPAA Privacy Rule. HHS stated that the proposed modifications, which are being issued as part of HHS’s “Regulatory Sprint to Coordinated Care,” are aimed at removing barriers to coordinated care, strengthening individuals’ access to their own medical information, and reducing unnecessary administrative burdens. Proposed changes to the HIPAA Privacy Rule in the NPRM include:

      • Reducing the time that covered entities have to respond to a patient’s request to access his or her medical records to 15 calendar days (with the possibility of a 15 day extension);
      • Allowing an individual to take notes, videos, and photographs, and use other personal resources to capture Protected Health Information (“PHI”) in a designated record set when accessing PHI in person;
      • Changing the fee structure applicable to requests for access to PHI and adding a requirement that covered entities provide advance notice of approximate fees for copies of PHI;
      • Modifying the definition of “health care operations” to clarify that the term encompasses both individual-level and population-based care coordination and case management activities by health plans and covered health care providers;
      • Adding an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for an individual;
      • Expressly allowing covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management;
      • Replacing the “professional judgment standard” with a “good faith standard” for certain disclosures of PHI allowed in the Privacy Rule;
      • Eliminating the requirement for a direct treatment provider to obtain written acknowledgment of receipt of the Notice of Privacy Practices (“NPP”) and adding an individual right to discuss the NPP with a person designated by the covered entity;
      • Expressly allowing covered entities and their business associates to disclose PHI to telecommunications relay service communications assistants; and
      • Expanding the current Armed Forces exception for covered entities to use and disclose PHI for mission requirements and veteran eligibility to all uniformed services personnel.

Comments will be due 60 days after the NPRM is published in the Federal Register.