HHS Proposes Significant HIPAA Privacy Rule Changes: Amendments Would Increase Individual and Institutional Access and Coordination of Care

Advocates for healthcare patients, providers, payors and privacy professionals received good news on Thursday, December 10, 2020 with the announcement of long-awaited and debated proposed amendments to the complex Health Insurance Portability and Accountability Act of 1996 (HIPAA) “Standards for the Privacy of Individually Identifiable Health Information” (Privacy Rule). Motivated by nearly two decades of frustration by all whom HIPAA embraces, and perhaps inspired by the need for fast and efficient sharing of health information during a pandemic, the Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the proposed Rule) aimed at preserving a significant degree of patient privacy while improving coordination of care and people’s access to their own records.

The 357-page proposed Rule amendments would modify the Privacy Rule under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). In all, HHS proposes nine rule changes that would alter many sections of the Privacy Rule in the Code of Federal Regulations (CFR).[1]

The proposal includes a series of changes to the Privacy Rule to improve healthcare coordination and case management by expanding permissible disclosures of Protected Health Information (PHI). The proposed changes would allow people to get their own medical records faster and to take notes or cell phone photos of their PHI. HHS also proposes replacing the existing threshold for PHI uses and disclosures – a “professional judgment” standard – to a standard of a “good faith belief that the use or disclosure is in the best interests of the individual.” To better coordinate care among different healthcare providers and payors, the Privacy Rule would have an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. To facilitate the necessary flow of health information to avert a threat to health or safety, the proposed Rule would replace the current “serious and imminent threat” standard to a broader “serious and reasonably foreseeable” threat. HHS also proposes eliminating the need for providers to collect a patient’s signature on an acknowledgement of receipt of their Notice of Privacy Practices.

As with all changes in federal regulation, the proposed Rule triggers a time for public commentary. HHS seeks input within the next 60 days from patient advocacy groups, healthcare providers and health insurers with respect to each of the proposed changes.[2] Thereafter, HHS may revise the proposal as it reviews and responds to public comments. The new proposal includes a timeline whereby the proposed Rule would be effective 60 days after being finalized and published as final in the Federal Register, followed by a longer period of time (up to six months) for affected entities to come into compliance.

White and Williams is ready to work with healthcare providers, health insurers and representative organizations to articulate persuasive comments in response to – and refinement of – the proposed changes. If you have any questions or would like additional information, please contact Linda Perkins (perkinsl@whiteandwilliams.com; 215.864.6866), Bill Kennedy (kennedyw@whiteandwilliams.com; 215.864.6816) or another member of the Cyber Law and Data Protection or Healthcare Group.

[1] Specifically, the Rule would affect or amend 45 CFR §§164.103, 164.404, 164.414, 164.501, 164.502, 164.506, 164.508, 164.510, 164.511, 164.512, 164.513, 164.514, 164.520, 164.524 and 164.30.

[2] Formally, comments are due within 60 days of the NPRM’s publication in the Federal Register, which, as of Friday morning December 11, 2020, has yet to include this proposal.