skip to main content

December 11, 2020

By: Robert A. Anderson, Stacy Walton Long, Stephanie T. Eckerle, Shelley M. Jackson, and Virginia A. Talley

On December 10, 2020 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced proposed modifications to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 CFR Parts 160 and 164). The proposed modifications are detailed in HHS’s 357-page Notice of Proposed Rulemaking (“Notice”).

According to HHS, the proposed modifications to the Privacy Rule are intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” Among other things, the Notice proposes to “strengthen[] individuals’ rights to access their own health information, including electronic information; improv[e] information sharing for care coordination and case management for individuals; facilitat[e] greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance[e] flexibilities for disclosures in emergency or life threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reduc[e] administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.”

Upon publication of the Notice in the Federal Register, which has not yet occurred, the public will have 60 days to submit comments via the Federal eRulemaking Portal or via regular, express, or overnight mail to HHS as described in the Notice.

Krieg DeVault LLP’s Data Privacy and Cybersecurity attorneys are ready to advise covered entities and business associates as they navigate these potentially significant changes to the Privacy Rule, including in determining whether to submit comments during the 60-day public comment period. We are currently reviewing and analyzing the Notice and will provide an update on details of the proposed modifications, as well as potential implications for covered entities and business associates.

Please contact Robert A. Anderson, Stacy Walton Long, Stephanie T. Eckerle, Shelley M. Jackson, or Virginia A. Talley if you have questions regarding the Notice or about Data Privacy and Cybersecurity matters.

This article should not be construed as legal advice or legal opinion. The content is intended for general informational purposes only.