Proposed Changes to HIPAA Privacy Rule in 2021

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) will see significant changes this year as the U.S. Department of Health and Human Services (HHS) continues its “Regulatory Sprint to Coordinated Care” initiative which aims to remove obstacles to coordinated patient care that may exist due to federal regulations like HIPAA. On December 10th, the HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking, indicating its intention to revise the HIPAA Privacy Rule, among other priorities.

In addition to expanding and strengthening a patient’s right of access to their own digital health records (“Protected Health Information” or “PHI”), these modifications will seek to facilitate greater family and caregiver involvement in patient care and access to PHI during emergencies or health crises. Likewise, the HHS hopes to reduce the some of the administrative burden facing providers and health plans.

Below is an overview of the proposed revisions:

1. Patients will be given the right to inspect their PHI in person, including the right to take notes about or capture images of their records
   
   
2. Patients will face fewer identity verification requirements when requesting PHI.
   
   
3. Patients will be able direct the sharing of their PHI among providers and health plans through electronic health records.
   
   
4. In response to patient access requests, HIPAA-covered entities will have 15 days to respond, as opposed to the current 30-day response time frame.
   
   
5. The content and form of a provider’s response to PHI requests will be required to meet certain specifications.
   
   
6. HIPAA-covered entities will be required to post on their websites estimated fees for providing copies of PHI. Also, the regulations will specify certain instances in which patient records must be provided free of charge.
   
   
7. Covered entities will have new obligations relating to their submission of access requests to other health care providers.
   
   
8. Patients will no longer be required to acknowledge in writing when they receive a copy of the provider’s privacy policy.
   
   
9. In cases where the health or safety of a patient are at risk, the standard for disclosure of PHI will be relaxed from the current standard of “serious and imminent threat” to “serious and reasonably foreseeable” risk.

Next Steps: Covered Entities and Business Associates

Although these changes have yet to be codified, businesses impacted by the HIPAA Privacy Rule are advised to begin the process of reviewing relevant policies and procedures. Covered Entities should review patient access protocols, as well as any Business Associate Agreements to determine which provisions may need updating in the event the HHS’ proposed changes become law. Likewise, Business Associates who are expected to fulfill the PHI-related obligations of their Covered Entity customers should also consider how these changes will impact their operations.

If you have questions about the proposed changes to the HIPAA Privacy Rule, please feel free to contact Marni Levitt at [email protected] or contact us via our website.

Marni Levitt is a Member of Outside GC’s Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at [email protected] or 508-561-4306.