HHS proposes modifications to HIPAA Privacy Rule

The Office for Civil Rights (OCR) at HHS announced on December 10 proposed modifications to the HIPAA Privacy Rule, placing an emphasis on individuals’ right of access to their protected health information (PHI).

Under the proposed changes, individuals will be granted greater access to their PHI. They will be permitted to take notes or use other personal resources to capture images while viewing their PHI. In addition, covered entities (CE) must respond to individuals’ requests for PHI no later than 15 calendar days, with the opportunity for extension of no more than 15 calendar days. Currently, CEs must respond within a 30-day window and can receive a 30-day extension.

The proposed modifications to individuals’ right of access to PHI also include reducing identity verification burden on individuals exercising their access rights, creating a pathway for individuals to direct the sharing of PHI in an electronic health record (EHR) among CEs, and requiring CEs to post estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization.

HHS’ proposed modifications extend beyond individuals’ access to PHI. CEs will receive greater flexibility in their handling of PHI, as well. Under the proposed changes, CEs will have an expanded ability to disclose PHI to avert a threat when harm is “serious and reasonably foreseeable.” The current standard allows for expanded ability to disclose PHI when there is a “serious and imminent” threat to health or safety.

The proposed modifications also create an exception to the minimum necessary standard for individual-level care coordination and case management uses and disclosures. Currently, the minimum necessary standard requires CEs to limit uses and disclosures of PHI to the minimum necessary to accomplish the purpose of each use or disclosure. The proposed modification would relieve CEs of the minimum necessary requirements for uses or disclosures for care coordination and case management activities.

Also included in the proposed modifications are the following:

• Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP)
• Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights
• Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for people who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers
• Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps

Public comments on the proposed rule will be due 60 days after publication in the Federal Register. Comments can be submitted at regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA00.