HHS Announces Changes to the HIPAA Privacy Rule

Proposed modifications to the HIPAA Privacy Rule have been published in the Federal Registry. On December 10, 2020, Health and Human Services (HHS) published the proposed modifications to the HIPAA Privacy Rule that are written to empower patients, improve coordination of care, and reduce regulatory burdens.

Update: The OCR extended the deadline for comments to May 6, 2021.

What Happens After Publication

The comment period will end 60 days from the date the notice is published. You can find the Federal Register publication here. After all the comments are reviewed, the final rule will be published. The Effective Date will be 60 days after the final rule is published, and the Compliance Date will be 180 days from the Effective Date or 240 days from publication.

How Should You Respond

If you have questions or comments, submit them during the comment period. When the final rule is published, HHS will provide feedback, giving great insight when interpreting the changes.

How Should You Prepare

How will the proposed changes impact healthcare operations, patient access rights, and disclosures to third parties? What should you be doing to prepare?First and foremost, read the rule and familiarize yourself with the proposed changes. Here’s a brief overview of a few of the proposed changes:

  • Adds definitions for the terms electronic health record (EHR) and personal health application and amends the definition for healthcare operations.
  • Reduces the current 30-day time period to respond to a patient’s request for access to 15 days. While this provides patients with greater access to their information, it may also burden healthcare providers and require an increase in staff.
  • Strengthens individuals’ rights to inspect their protected health information (PHI) in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Eases information sharing during care coordination and case management.
  • The proposal explicitly mentions sharing information with family and caregivers is key to helping patients experiencing substance use disorders and severe mental illnesses.
  • Removes the requirement to acquire written acknowledgment of the Notice of Privacy Practice (NPP) and establishes a patients’ right to discuss the NPP with a designated person.
  • Clarifies the form and format required when responding to patients’ requests for access.
  • Reduces the identification burden on patients exercising their access rights. This is a particularly interesting clarification in the proposed rule. The key to this clarification is that the identification process should not create a barrier to access and allows for professional judgment.
  • Creates an exception to the minimum necessary standard for disclosures to, or requests from, a health plan or covered health care provider for individual-level care coordination and case management activities.
  • They are replacing the privacy standard that permits covered entities to make decisions about certain uses and disclosures based on their “professional judgment” with a standard permitting covered entities to use or disclose PHI in some circumstances based on a “good faith belief” that the use or disclosure is in the best interests of the individual.

Start reviewing current policies, procedures, and standard practices to identify necessary changes.

  1. Review your Notice of Privacy Practices.
  2. Identify system processes that need to be modified, such as requiring an acknowledgment for the receipt of your Notice of Privacy Practices in your EMR.
  3. And remember to train all workforce members on the changes!

We will continue to monitor this development and post updates as they come from Health and Human Services. Submit your questions on our contact form for DeAnn Tucker MHA, RHIA, CHPS, Senior Manager at Coker Group.

Related Insights