Important Proposed Changes to HIPAA and HITECH Act: Comment Now!

March 1, 2021

The federal government is proposing significant changes to the regulations governing health care records that could affect you as a consumer, health care professional, or other professional that assists or represents health care providers or entities.  The proposed changes fall into two main categories: (1) changes to increase patients’ access to records and information, which modify and add requirements for providers; (2) amendments to facilitate the sharing of information and records among multiple providers for the same individual to improve care and reduce providers’ risk and liability for doing so.  You have until May 6, 2021 to submit comments on the proposed changes. 

On January 21, 2021, The United States Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking to modify Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).  The Notice of Proposed Rulemaking outlines several potential and important changes for covered entities that will have practical implications in their day-to-day operations.  The idea behind the changes is to address what the HHS calls “unnecessary burdens” that may impede care coordination and case management communications among individuals and covered entities  (including hospitals, physicians, and other health care providers, payors, and insurers), while still protecting the privacy and security of a patient’s protected health information (“PHI”). [1]

Importantly, any member of the public has the opportunity to comment on the proposed changes before they are adopted as final rules.  In fact, HHS has requested feedback on the feasibility of these changes as well as insight on any unintended consequences. As noted above, the deadline to comment on the changes is May 6, 2021.  You can view the complete Notice of Proposed Rulemaking and submit your comments to HHS on the proposed changes here.

Some of the key changes related to health records and access to PHI include:

  • Adding definitions for the terms “electronic health record” (EHR) and “personal health application.”
    • HHS recognizes that “more and more, individuals use personal health applications (‘apps’) to access and manage their personal health information.”  Given this evolution, HHS proposes to clarify that “one of the mechanisms by which a request for access can be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health [app] used by the individual.” Importantly, HHS is of the position that “a personal health [app] is not acting on behalf of, or at the direction of a covered entity, and therefore would not be subject to the privacy and security obligations of the HIPAA Rules.”
  • Changing rules on the individuals’ right  of access to PHI by:
    • Enhancing the patients’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI at the time of the patient visit, without delay.
    • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).  Where state law provides a shorter timeline for response, state law will control.
    • Reducing the burden on individuals to provide identity verification when exercising their access rights.  HHS takes the position that requiring notarization or requiring proof of identity in person as overly burdensome, when a more convenient method for remote verification is practicable for the covered entity.
    • Enhancing the individuals’ ability to direct the sharing of PHI in an EHR among covered health care providers and health plans.  This will enable covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR. Importantly, the individual’s request for transfer of this PHI can be done orally, as long as it is “clear, conspicuous, and specific.” The proposed requirement would replace the current requirement that the request be in writing, signed by the individual, and “clearly identifying the designated person and where to send the copy of the PHI.” 
      • In conjunction with the preceding change, the entity that receives an individual’s request for transfer of records from a third covered entity (or “disclosing entity”) would be required to submit an individual’s clear, conspicuous, and specific request to disclosing entity within 15 calendar days of receipt of the request from the individual.  In turn, the disclosing entity would then be required to respond by providing the electronic copy to requesting entity, as soon as practicable, but not later than 15 calendar days after receiving the request.
      • HHS also proposes to limit the individual right to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR.
    • Establishing that electronic PHI (ePHI) must be provided to the individual at no charge (unless the request requires the provider to incur actual costs like supplies, postage, or labor for copying).
    • Amending the fees for responding to requests to direct records to a third party.  The revised fee structure is fully outlined in the Notice of Proposed Rulemaking.
    • Requiring covered entities to post on their websites the estimated fee schedules for access and disclosures (and providing a copy at the point of service upon request).  The specific requirements for the fee schedules are also outlined in the Notice of Proposed Rulemaking. 
    • Requiring covered entities to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • No longer requiring an individual’s written acknowledgment of receipt of a covered entity’s Notice of Privacy Practices (“NPP”)  (a copy of the NPP must still be provided to the patient).  Individuals would instead have a right to discuss the NPP with a person designated by the covered entity.  The proposal would also relieve providers from the burden of retaining copies of such documentation for six years
  • Modifying the content requirements of the NPP provided to the individual.
    • The required header of the NPP would need to specify that the notice contains information about (1) how to access health information; (2) how to file a HIPAA complaint; and (3) the individuals’ right to receive a copy of the notice and to discuss its contents with a designated person (and set forth such person’s contact information, including phone and email and whether this person is on site). The NPP would need to specify how an individual can obtain a copy of their records at limited cost or free of charge, and describe the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party. The NPP may also include information about how to direct disclosure of PHI to a third party, when their PHI is not in an EHR.

The foregoing proposed changes reflect the reality that most health information is or will eventually be stored and exchanged electronically, with the idea that patients will prefer to access their information on a digital platform such as a personal health app.  These rules are certainly aimed at reducing the burden on the individual to access his or her health information but may also reduce the paperwork burden on providers. If, however, providers can identify any unintended or uncontemplated consequences of the foregoing proposals, now is the time to provide such feedback to HHS, before the changes become final.

Another set of changes is aimed at facilitating better case management and care coordination by facilitating disclosure of PHI.  These changes include:

  • Amending the definition of “health care operations” in 45 CFR 164.501 to encompass all care coordination and case management by health plans, whether individual-level or population-based, facilitating necessary disclosures.
  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard currently requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of this limiting requirement with respect to individual care coordination and case management, regardless of whether such activities constitute treatment or health care operations. 
  • Enabling covered entities to disclose PHI—without prior authorization—to  social services agencies, community-based organizations, home and community-based service providers that provide supportive services addressing health risks (e.g., hunger, homelessness).
  • Encouraging disclosures of PHI to help individuals with substance abuse disorders, serious mental illness, and in “emergency circumstances.” HHS is proposing to relax the privacy standard that permits covered entities to make disclosures of PHI based on their “professional judgment.” Instead, a covered entity could make such disclosures based in its “good faith belief” that the use or disclosure is in the best interests of the individual.  The covered entity would enjoy a presumption that it acted in good faith when making the disclosure; however, this presumption could be overcome with evidence of bad faith.
  • Enabling covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current, stricter standard which requires a “serious and imminent” threat to health or safety. The proposed modification would allow covered entities to use/disclose PHI without having to first determine whether the threatened harm is actually imminent. Instead, the covered entity can disclose when it determines that the threatened harm is “reasonably foreseeable.”
  • Permitting disclosures of PHI to Telecommunications Relay Services (TRS) (assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability). 

These proposed changes are designed to enhance the care provided to the patient by enabling providers to make appropriate disclosures in the best interest of the patient.  It appears that the idea behind these changes is to encourage more comprehensive “wrap-around” care with the goal of saving the lives of those struggling with addiction or mental illness through early intervention. HHS has encouraged the public to comment on these proposed changes as well.


[1] Citations have been omitted from this post, but all quotations and information were obtained from HHS’ January 21, 2021 Notice of Proposed Rulemaking.

Comments are closed.