Last Updated: Mar 15, 2021
Update 3/15/2021: The comment period for the Proposed Rule has been extended to May 6, 2021.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued a Notice of Proposed Rulemaking (Proposed Rule) that if finalized would modify several key portions of the HIPAA Privacy Rule.
The Proposed Rule is a continuation of HHS and OCR’s recent efforts to reduce potential administrative burdens on providers while also emphasizing patients’ right of access to their protected health information (PHI).
The full text of the proposed rule can be accessed here.
What does the Proposed Rule do?
Key provisions of the Proposed Rule include the following:
- EHR Definition: The Proposed Rule adds a definition for “electronic health record.” The Privacy Rule currently does not define the term “electronic health record.” A definition for “personal health application” is also proposed.
- Health Care Operations: The Proposed Rule amends the definition of “health care operations” to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
- Response Timeliness: Under existing regulations, a covered entity must act on an individual's request to access their PHI no later than 30 calendar days after receipt of the request. The Proposed Rule shortens this timeframe to 15 calendar days with a potential additional 15-day extension (Currently, a 30-day extension is permitted).
- Right of Access: The Proposed Rule clarifies that an individual’s right of access to their PHI includes the right to view, take notes, take photographs, and use other personal resources to capture the information, except that a covered entity is not required to allow an individual to connect a personal device to the covered entity’s information systems and may impose requirements to ensure that an individual records only PHI to which the individual has a right of access.
- Identity Verification: Under the Proposed Rule, covered entities may not impose unreasonable verification measures on an individual that would impede the individual from exercising a right under this part. An unreasonable measure is one that causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity. For example, according to examples listed in the Proposed Rule, obtaining notarization of the individual’s signature on a request form would be considered an unreasonable measure.
- Privacy Standards: The Proposed Rule replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual.
- Fee Limitations: The Proposed Rule describes categories of access for which covered entities cannot charge a fee. No fee can be charged when an individual inspects their PHI in person or uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity. Regarding an access request to direct an electron copy of PHI in an EHR to a third party, the Proposed Rule specifies that covered entities can only a charge a fee for the labor for copying the PHI and for preparing an explanation or summary of the PHI if the individual has agreed to such summary.
- Third Party Directives: The Proposed Rule expressly provides individuals with the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR directly to a third party designated by the individual.
- Notice of Privacy Practices: The Proposed Rule eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). Additionally, the Proposed Rule also modifies the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
- Notice of Access and Authorization Fees: The Proposed Rule adds a requirement that covered entities provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization. Specifically, covered entities would be required to post a fee schedule online (if they have a website) and make the fee schedule available to individuals at the point of service and upon request.
- Additional Provisions: The Proposed Rule contains several other Privacy Rule modifications including, but not limited to:
- Proposing to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).
- Clarifications regarding the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services, in furtherance of the coordination and management of individuals’ care.
- Creating an exception to the “minimum necessary” standard for uses by, disclosures to, or requests by a health plan or covered health care provider for care coordination and case management activities.
How can comments be summitted?
Comments may be submitted within 60-days after the Proposed Rule is formally published in the Federal Register. The proposed regulations were published in the Jan. 21, 2021 edition of the Federal Register.
Comments were originally due on or before March 22, 2021. However, after taking office, President Biden’s administration announced a regulatory freeze regarding new or pending regulations. In light of this freeze, HHS has extended the comment period for the Proposed Rule to May 6, 2021.
Comments may be submitted either electronically or by mail to HHS through the following methods:
- Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS-OCR0945-AA00. Follow the instructions online for submitting comments through this method.
- Regular, Express, or Overnight Mail: You may mail comments to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945- AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.
Additional information regarding the Proposed Rule can be accessed on HHS’s website here.
The Pennsylvania Medical Society (PAMED) will continue to monitor developments related to the Proposed Rule and will provide updates accordingly.