3/9/2021 Update: OCR extended the due date for public comments on the proposed rule to May 6, 2021.
The Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) (collectively, the Department) issued a proposed rule modifying the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to support HHS’ Regulatory Sprint to Coordinated Care initiative. The Privacy Rule is one of several rules that are collectively known as the HIPAA Rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). PHI is individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct health care transactions electronically, health plans, and health care clearinghouses). The HIPAA Privacy Rule imposes federal requirements to protect PHI held by covered entities and their business associates, gives patients’ rights with respect to that information, and permits covered entities and business associates to disclose PHI for patient care and other important purposes.
If finalized, this rule would take effect 60 days after any final rule is published in the Federal Register. Covered entities and their business associates would have until the “compliance date” (180 days from the effective date of any finalized changes under the rule) to establish and implement policies and practices to achieve compliance with any new or modified standards in accordance with this rule.
Public comments on the proposed rule were originally due on March 22, 2021; however, OCR extended the deadline to May 6, 2021.
- Individual Right of Access to PHI
- Business Associate Disclosure of PHI
- Notice of Individual Access and Authorization Fees
- Proposed Clarification to the Definition of Health Care Operations
- Proposed Exception to the Minimum Necessary Standard
- Proposed Clarification on the Scope of Covered Entities’ Abilities to Disclose PHI to Third Parties for Individual-Level Care Coordination and Case Management that Constitutes Treatment or Health Care Operations
- Proposed Amendment to Change “Professional Judgment” to “Good Faith Belief”
- Proposed Amendment to Change “Serious and Imminent Threat” to “Serious and Reasonably Foreseeable Threat”
- Proposed Amendment to the Notice of Privacy Practices (NPP) Requirement
- Proposed Rule on using Telecommunications Relay Services (TRS)
- Proposed Expansion to Use and Disclose the PHI of Uniformed Services Personnel