HHS Proposes Changes To HIPAA Regulations 

Situation Report | February 22, 2021

On January 21, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) issued proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to HHS, the modifications “address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities … or posing other unnecessary burdens.”

The proposal:

  • Incorporates definitions into the Privacy Rule that are necessary to implement key privacy provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, such as definitions for electronic health record and personal health application.
  • Strengthens the right to inspect and obtain copies of protected health information (PHI).
  • Creates a pathway for individuals to direct the sharing of an electronic copy of PHI in an EHR among covered health care providers and health plans.
  • Adjusts and clarifies the fees that covered entities may charge for copies of PHI.
  • Requires covered entities to post a fee schedule online (if they have a website) and make the fee schedule available to individuals at the point of service, upon an individual’s request.
  • Prohibits a covered entity from imposing an unreasonable identity verification requirement on an individual attempting to exercise the right of access.
  • Modifies the regulations to require that access be provided “as soon as practicable” (but in no case later than 15 calendar days) rather than 30 days as currently required, with the possibility of one 15 calendar-day extension.
  • Requires covered entities to establish written policies for prioritizing urgent or other high-priority access requests (especially those related to health and safety) so as to limit the need to use 15-day extensions for such requests.
  • Eliminates the requirements for covered providers with a direct treatment relationship to obtain a written acknowledgment that the Notice of Privacy Practices has been received. The proposal also would remove the current requirement to retain copies of such documentation for six years.

Comments on the proposed rule are due March 22, 2021.