New changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule are in the works to empower patients, improve coordinated care, and reduce regulatory burdens on the healthcare industry.

On December 10, 2020, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced proposed changes to the HIPAA Privacy Rule that strengthen individuals’ rights to access their own health information, including electronic information.

The proposed changes would improve information sharing for care coordination and case management and facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises. The HHS has issued a Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Continue Reading

The proposed changes include adding definitions for the terms electronic health record (EHR) and personal health application. This new NPRM is part of the HHS’s Regulatory Sprint to Coordinated Care, initiated under HHS Secretary Alex Azar’s value-based transformation agenda. The proposed changes call for enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies. Other changes being proposed would reduce administrative burdens on health care providers and health plans that are covered by HIPAA.

To improve patients’ rights to access their protected health information (PHI), the proposal calls for shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension). Azar said in a press release that the “proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long.” A public comment period of 60 days will be held following publication of the NPRM in the Federal Register.

Roger Severino, OCR Director, said the current regulation requires covered health care providers to exercise “professional judgment” when making certain disclosures of PHI to an individual’s family members and other caregivers. He said this could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual’s best interests. “This proposed modification would allow providers greater confidence to disclose PHI to family members, caregivers, and loved ones of individuals who are in an emergency or may be experiencing a health crisis without undue concerns about violating the HIPAA Rules,” Severino said.

For example, he said the proposed “good faith” belief standard would permit a health care professional to draw on experience to determine when it is in the best interests of a young adult patient who has overdosed on opioids to disclose PHI to a parent involved in the patient’s treatment. “Likewise, front-desk staff at a physician’s office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose relevant information to the family member or caregiver as a way of checking in on the welfare of the patient, when a patient misses an appointment,” Severino said.

In addition to the proposal to permit certain disclosures based on a good faith belief, the NPRM proposes a new standard to allow covered entities to disclose PHI to prevent harm that is serious and reasonably foreseeable. “OCR has heard many heart-wrenching stories of parents and loved ones of patients who are facing a health crisis, such as an opioid overdose, who are not informed of an emergency or life-threatening circumstance,” Severino said.

Recent HIPAA compliant web solutions have allowed health care providers to take advantage of the benefits of new technology without jeopardizing the privacy and security of patient data. David Parks, MD, medical director and clinical manager for CentralWest Healthcare in St. Louis, Missouri, said with the new EHR systems patients have a portal where they can access most parts of their records and read medical notes. They also can review their own laboratory results. He said these HIPAA rule changes are needed. “I personally think this has started at an appropriate time and it is completely appropriate to do so,” Dr Parks said. “Providers are so rushed due to insurance requirements it is incredibly easy to make documentation mistakes, and this gives the patient a chance to do a double check against the provider and request any appropriate corrections,” Dr Parks said.

Lisa Ravindra, MD, assistant professor of medicine at Rush Medical College in Chicago, Illinois, an informatics specialist who uses information and communication systems to improve health care, said the proposed modifications raise some questions. “The HIPAA privacy rule mentions phrases such as removing barriers to coordinated care, reducing administrative burdens, and empowering patients, which to a physician like myself seems like great improvements. However, it’s not clear how much impact this will have on day-to-day practice,” Dr Ravindra said.

The proposed changes build upon earlier action through the 21st Century Cures Act, which serves to reduce barriers for patients to access their records and to improve communication between health care providers. At Rush University Medical Center, a form of “open notes” was adopted that allows sharing inpatient, outpatient, and emergency department notes directly with patients through the patient portal, Dr Ravindra said. “Admittedly, I was initially concerned about patients having instant access to the notes that I write, given that progress notes and history and physical notes are primarily for communication between physicians rather than patients and therefore could be misinterpreted by patients.”

However, she said it is clear from multiple studies that improved patient access to their health information actually increases patient engagement, improves medication adherence, and allows patients to more actively participate in their own care. “The proposed HIPAA changes further increase patient access to their records by reducing the amount of time that a covered entity has to provide access to personal health information from 30 days to no more than 15,” Dr Ravindra said. “Given that notes are shared automatically with patients now, this is unlikely to affect physicians at my institution.”

The proposed changes will make it easier for physicians to communicate with other physicians outside of their health care system. Dr Ravindra said the process and fees associated with patients requesting their records appears to be simplified as well. “Whether further modification is needed will depend on whether the proposed changes work as intended,” Dr Ravindra said.


US Department of Health and Human Services. HHS proposes modifications to the HIPAA Privacy Rule to empower patients, improve coordinated care, and reduce regulatory burdens. December 10, 2020. Press release.