skip to main content

March 23, 2021

By: Robert A. Anderson, Stacy Walton Long, Stephanie T. Eckerle, Shelley M. Jackson, and Virginia A. Talley

On December 11, 2020, we published Speak Now or Forever Hold Your Peace: HHS Proposes Modifications to the HIPAA Privacy Rule. In it, we shared that the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) has proposed certain modifications to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 CFR Parts 160 and 164). On January 21, 2021 HHS published its Notice of Proposed Rulemaking (“Notice”) in the Federal Register, triggering the start of the official public comment period, which ends on May 6, 2021 (earlier this month, the HHS announced a 45-day extension of the public comment period, which originally ended March 22, 2021). These proposed modifications, if implemented, will be the first major changes to the Privacy Rule since the HIPAA Omnibus Final Rule became effective in 2013. 

What’s in the Proposed Rule?
The proposed modifications aim to strengthen individuals’ rights to access their health information, promote coordinated care amongst providers, and allow increased flexibility for health information disclosures in emergency and life-threatening situations. The modifications also aim to amend parts of the Privacy Rule that may pose unnecessary barriers to effective, coordinated health care, and would alleviate some of the administrative burdens faced by those required to comply with the Privacy Rule.

The Notice contains modifications that would affect both individuals’ and covered entities’ roles when it comes to health care services and handling protected health information (“PHI”). Potential updates to the Privacy Rule include, among others:

  • Strengthening individuals’ rights to inspect their PHI, including taking notes or using personal resources to access and capture their PHI (p. 6457);
  • Shortening the required response times of covered entities to individuals’ request for PHI to 15 calendar days, with an option to extend for 15 additional calendar days (as opposed to the 30 day response period and option for 30 day extension currently in place) (p. 6458);
  • Requiring covered health care providers and health plans to respond to requests for certain records from other covered entities at the direction of the individual (p. 6462);
  • Reducing the identity verification burdens individuals face when exercising their rights to access PHI (which is especially important with the recent increase in telemedicine and remote care options) (p. 6470);
  • Expanding the circumstances under which covered entities can disclose PHI to avert a “serious and reasonably foreseeable” threat to the health and safety of an individual (p. 6473);
  • Requiring covered entities to make estimated fee schedules available through their websites for right of access requests (p. 6464);
  • Requiring covered entities to provide individualized fee estimates for a request for copies of PHI, as well as providing itemized bills for completed PHI requests (p. 6467);
  • Clarifying the scope of permitted PHI disclosures and requests for individual-level care coordination by creating an exception to the “minimum necessary” standard currently in place for the exchange of PHI between covered entities or business associates (p. 6475); and
  • Adding and clarifying definitions for terms, including “electronic health record, “personal health application,” “health care operations” and “business associate” (p. 6455). 

The list above highlights some modifications that have the potential to reduce the burdens health care providers and health plans face when ensuring compliance with the Privacy Rule. For example, the proposed modifications would support new methods through which covered entities could share PHI and coordinate individual care with other covered entities. Further, the new rule would expand the circumstances under which a covered entity could disclose PHI based on the covered entity’s “professional judgment” or during an emergency situation, allowing the providers to give appropriate care in the best interests of the individual and in life-threatening situations.

These proposed modifications may pose implementation challenges, as well. For example, the new rule will shorten the time for covered entities to respond to individuals’ requests for PHI, and covered entities will need to have procedures in place to comply with this shortened response time. Additionally, the proposed modifications would require covered entities to provide additional disclosures to individuals regarding their PHI rights, publish general fee structures, and provide individualized fee estimates for fulfilling requests for PHI.

When does the public comment period end?
The public comment portal will remain open until May 6, 2021. Comments can be submitted via the Federal eRulemaking Portal or via regular, express, or overnight mail to HHS (note: given recent mail delays and the short comment time remaining, we recommend choosing an expedited mail service). Once the public comment period ends, HHS will review all public comments and publish a final version of the new rule in the Federal Register, along with an effective date. HHS also has the option to extend or reopen the public comment period if it does not receive enough high-quality comments, or if it identifies another reason to provide more time for public comment.

What next steps should an affected organization take?
It is virtually certain that modifications to the Privacy Rule will be adopted in some fashion, and likely in a form which is substantially similar to the new rule as currently proposed. Covered entities (such as health care providers and health plans) and business associates subject to the HIPAA Privacy Rule should consider the following:

  • Determine whether, and to what extent, the proposed modifications to the Privacy Rule will impact your organization’s health care operations.
  • If there is a particular issue of concern, consider submitting a comment within the public comment period.
  • Keep an eye on updates regarding the proposed modifications, especially after the public comment period closes and a new final rule (including effective date) is announced.
  • Develop a plan to identify compliance gaps and revise HIPAA policies and procedures as necessary and in a timely manner once the new rule is finalized.

Krieg DeVault LLP’s Data Privacy and Cybersecurity attorneys are ready to help covered entities and business associates determine the best next steps for navigating these potential modifications to the HIPAA Privacy Rule. If you have any questions regarding the proposed modifications to the HIPAA Privacy Rule or about other Data Privacy and Cybersecurity matters, please contact Robert A. AndersonStacy Walton LongStephanie T. EckerleShelley M. Jackson, or Virginia A. Talley.

This article should not be construed as legal advice or legal opinion. The content is intended for general informational purposes only.