COVID-19 Employer
Resource Hub

Stay up to date with Coronavirus (COVID-19) resources, legal and HR compliance updates, and insight on how to stay informed, prepared and healthy.

NAVIGATE COVID-19

Proposed Rule Amending the HIPAA Privacy Rule

3/9/2021 Update: OCR extended the due date for public comments on the proposed rule to May 6, 2021.

The Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) (collectively, the Department) issued a proposed rule modifying the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to support HHS’ Regulatory Sprint to Coordinated Care initiative. The Privacy Rule is one of several rules that are collectively known as the HIPAA Rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI).

The Department proposes to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management. If finalized, this rule would take effect 60 days after any final rule is published in the Federal Register. Covered entities and their business associates would have until the “compliance date” (180 days from the effective date of any finalized changes under the rule) to establish and implement policies and practices to achieve compliance with any new or modified standards in accordance with this rule.

Public comments on the proposed rule were originally due on March 22, 2021; however, OCR extended the deadline to May 6, 2021.

The Department proposes to modify the Privacy Rule by:

  • Adding definitions for electronic health records (EHRs) and personal health applications.
  • Modifying the provisions on the individuals’ right of access to PHI by:
    • strengthening the individuals’ right to inspect their PHI, which includes allowing individuals to take notes or use other personal resources to view and capture copies of their PHI in a designated record set;
    • shortening covered entities’ response time to 15 calendar days (from the current 30 days);
    • clarifying what constitutes a readily producible form and format when providing requested copies of PHI, which may be electronic PHI (ePHI) transmitted via a personal health application, while requiring covered entities to inform individuals about their right to obtain or direct copies of PHI to a third party when a summary or explanation is offered;
    • requiring covered health care providers and health plans to respond to certain record requests from other covered health care providers and health plans made at the direction of an individual;
    • clarifying when ePHI must be provided to the individual free of charge; amending the fee structure for certain requests to direct ePHI to a third party; and requiring covered entities to post fee schedules on their websites (if they have a website) for common types of requests for copies of PHI, and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies.
  • Reducing the identity verification burden on individuals exercising their access right.
  • Amending the definition of health care operations to clarify the scope of care coordination and case management activities encompassed in the term.
  • Creating an exception to the minimum necessary standard for disclosures to, or requests from, a health plan or covered health care provider for individual-level care coordination and case management activities.
  • Clarifying the scope of covered entities’ ability to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate individual-level care coordination and case management activities that constitute treatment or health care operations.
  • Replacing the privacy standard that permits covered entities to make decisions about certain uses and disclosures based on their “professional judgment” with a standard permitting covered entities to use or disclose PHI in some circumstances based on a “good faith belief” that the use or disclosure is in the best interests of the individual.
  • Expanding the ability of covered entities to use or disclose PHI to avert a serious threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current standard which requires a “serious and imminent” threat to health or safety.
  • Modifying the content requirements of the Notice of Privacy Practices to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Permitting disclosures to Telecommunications Relay Services (TRS) communications assistants and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all Uniformed Services, which would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

If the proposed rule is finalized, group health plans should review their HIPAA Privacy Rule policies and procedures and amend them in accordance with the rule. If finalized, group health plans should consider training staff so they are aware of any changes to the policies and procedures.