December 16, 2020

On December 10, 2020, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a part of the OCR’s Regulatory Sprint to Coordinated Care, this NPRM builds on the public comments previously received in response to the agency’s 2018 Request for Information on Modifying the HIPAA Rules to Improve Coordinated Care.

HHS OCR proposes changes to the HIPAA Privacy Rule, and requests comments regarding: (1) strengthened access for individuals to their own information (including electronic information); (2) improved information sharing policies regarding care coordination and case management for individuals; (3) improved policies to facilitate family and caregiver involvement for individual’s health emergencies or crises; (4) enhanced flexibility for disclosure in public health emergencies; and (5) proposed reduction of administrative burdens for HIPAA covered health care providers and health plans, specifically with regard to Notices of Privacy Practices.

Would individuals have increased rights to their own health information?

Yes, these proposed revisions increase individuals’ access to their own health information. Further, these proposals create additional requirements, and burdens, on health care providers and health plans (HIPAA Covered Entities), and additional options for individuals with regard to their own health information. The requirements, if finalized, would necessitate significant revisions to HIPAA Covered Entities’ policies, procedures and practices addressing access requirements, including with regard to electronic access and access by third parties. Finally, any HIPAA Business Associates assisting HIPAA Covered Entities with their access responsibilities under the HIPAA Privacy Rule would also have to address any new requirements.

How important are other proposed changes for patients and providers?

These proposed changes offer additional options for sharing of patient information with family members, friends, third party providers (care coordination/treatment support) and others involved in a patient’s care, including in cases of a “serious and reasonably foreseeable” harm to patients or others, even if such harm is not “imminent,” as provided by the current Privacy Rule language.

Proposed changes also include revisions to the Notice of Privacy Practices (NPP) (elimination of requirement to obtain individuals’ written acknowledgement of receipt of a NPP), and to address services offered to deaf, hard of hearing, deaf-blind and speech disability’s telecommunications relay service for increased access to health care.

With these changes, health care providers will have more flexibility to share information in circumstances affecting particularly patients in crisis, or patients that need support from their family members, friends, or other caregivers. Note, however, that there are not new requirements for health care providers to share patient information. Health care providers would still have the choice of utilizing the new permissions available under this proposed HIPAA Privacy Rule, as long as it is in the best interest of the patient and the patient does not object to the disclosure.

Is it likely that the Biden administration will finalize these rules?

HIPAA and health information privacy and security have always been a bi-partisan effort, and the changes proposed in this NPRM are not unexpected. We anticipate that the Biden administration will seriously consider all comments that are submitted to this NPRM.

What should HIPAA Covered Entities review particularly in this NPRM?

Where these proposed changes will arguably improve individuals’ access to their health information, there may be potential issues with these proposed changes regarding information sharing, particularly given the sensitivity of the health information that may be involved in such increased information sharing. Further, there will clearly be additional burdens on HIPAA Covered Entities and Business Associates, particularly with regard to any new patient access requirements.

Comments to the NPRM are due sixty days from publication in the Federal Register. We expect publication in the Federal Register to be imminent. We encourage stakeholders to review the NPRM and reach out directly to our HIPAA team with any questions or concerns.