First Proposed HIPAA Privacy Rules Changes in 8 Years

Author: Todd McDonagh, Principal & CEO

Feb 24, 2021 | Audit, Compliance, HIPAA

In a response to the healthcare community’s desire to lessen the administrative burden on HIPAA covered entities, the Office of Civil Rights (OCR) issued a request of information (RFI) in December of 2018. Two years later, after this RFI comment period closed, the OCR is closing in on the end of the public comment period of the Notice of Proposed Rulemaking (NPRM), which was issued on December 10, 2020. Once public comments are reviewed, a final rule will be issued.

Proposed Changes to HIPAA Privacy Rule Currently in Public Comment Period

  1. Individual Right of Access:
    • adding definitions for Electronic Health Record (EHR) and Personal Health Application,
    • strengthening the access right to inspect and obtain copies of PHI,
    • modifying the implementation requirements for requests for access and timely action in response to requests for access,
    • addressing the individual access right to direct copies of PHI to third parties, and
    • technical change to general rules for required business associate disclosures of PHI.
    • Reducing identity verification burden for individuals exercising the right of access.
  2. Amending the definition of health care operations to clarify the scope of care coordination and case management.
  3. Creating an exception to the minimum necessary standard for disclosures for individual-level care coordination and case management.
  4. Clarifying the scope of covered entities’ abilities to disclose PHI to certain third parties for individual-level care coordination and case management that constitutes treatment or health care operations.
  5. Encouraging disclosures of PHI when needed to help individuals experiencing substance use disorder (including opioid use disorder), serious mental illness, and in emergency circumstances.
  6. Eliminating Notice of Privacy Practices requirements related to obtaining written acknowledgment of receipt, establishing an individual’s right to discuss the NPP with a designated person, modifying the NPP content requirements, and adding an optional element.
  7. Permitting disclosures for telecommunications relay services for people who are deaf, hard of hearing, deaf-blind, or who have a speech disability.
  8. Expanding the permission to use and disclose the PHI of armed forces personnel to cover all uniformed services personnel.

As the dust settles and a final rule emerges, HCN will keep you aware of effective dates and compliance dates. The effective date of a final rule will be 60 days after publication and the compliance date will be 180 days after the effective date. This will require changes in your HIPAA manuals. We will also initiate changes in the online HIPAA training to educate your employees on these changes. Stay tuned for the first significant HIPAA privacy changes in 8 years.