New HIPAA Privacy Rule Revisions – What You Need to Know

By Emily B. Pence and Sarah Charles Wright

On January 21, 2021, the U.S. Department of Health and Human Services (HHS) published proposed modifications to the HIPAA Privacy Rule.(1) The stated goal of the proposed revisions to the current version of the Privacy Rule is to remove certain barriers to the expansion of value-based reimbursement and care coordination between providers, and to patients’ ability to access their own protected health information. Public comments on the proposed rule were due on or before March 22, 2021. The proposed changes are directed at:

  • Facilitating information sharing among providers for patient care coordination and case management and greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises;

  • Enhancing flexibilities for disclosures in emergencies or threatening circumstances, including those related to the opioid crisis and COVID-19; and

  • Reducing some of the current administrative burdens HIPAA imposes on providers and health plans while continuing to protect the privacy of individuals’ health information.

Bottom Line:

“On January 21, 2021, the U.S. Department of Health and Human Services (HHS) published proposed modifications to the HIPAA Privacy Rule. The proposed rule modifications seek to increase a patient’s ability to access their Protected Health Information (PHI). Key proposals include requiring covered entities to permit patients to take notes, videos, and photographs during an appointment and decreasing the timeframe allowed for covered entities to respond to patient requests to access their PHI.”

Strengthening Patients’ Access to PHI

The proposed rule modifications seek to increase a patient’s ability to access their Protected Health Information (PHI). Key proposals include requiring covered entities to permit patients to take notes, videos, and photographs during an appointment at no cost to the patient and decreasing the timeframe allowed for covered entities to respond to patient requests to access their PHI. Covered entities must currently provide access not more than 30 days from receipt of an individual’s request with an optional 30-day extension if certain criteria are met. The proposed rule requires covered entities to provide access “as soon as practicable,” but no later than 15 days after receiving a patient request, with the possibility of one-day extension.

When a patient requests a copy of their health information and a covered entity instead offers a summary of that information, the proposed rule requires the covered entity to inform the patient that they still have the right to obtain a full copy of their record or have it sent to an identified third party. The proposed rule also requires providers and health plans to respond to certain records requests received from other providers and plans when directed by the patient.

Electronic Health Records

To clarify the scope of an individual’s right to have their PHI in an electronic health record directly transmitted to a third party, the proposed rule redefines the term “electronic health record” (EHR) as:

An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals… such as physicians, nurses, pharmacists, and other allied health professionals.

HHS noted that “health-related information” as used in the new definition would be construed broadly to include billing records. However, the rule also limits a patient’s right to have their PHI transferred to a third party to only PHI that is already maintained in an EHR.

Use of “Personal Health Applications”

In response to the growing number of patients using internet applications on their personal computers to access their health records, the proposed rule clarifies that a patient’s request for their PHI can be fulfilled by transmitting an electronic copy of it to the patient’s “personal health application.” A “personal health application” is defined as “an electronic application used by an individual to access health information about that individual in electronic form,…from multiple sources,” provided the information is primarily managed, shared, and controlled by or for the individual, and not by a covered entity or other third party. According to HHS, these applications and their developers are not HIPAA business associates subject to the Privacy Rule because they do not create, maintain, receive, or transmit PHI on behalf of a covered entity.

Relaxing Requirements for Disclosing Substance Use/Abuse Information

The proposed rule relaxes the standards under which providers acting in good faith based on their “professional judgment” can share patient PHI related to opioid use. Related to this, the rule expands the power of covered entities to disclose PHI to prevent a threat to health or safety by allowing disclosure of PHI containing substance use information when harm is “serious and reasonably foreseeable” instead of requiring there to be a “serious and imminent” threat to health or safety. Provider compliance with the new standard would be presumed. HHS explains in the preamble to the proposed rule that while support from family members, friends, and caregivers is crucial to helping people with a substance use disorder or serious mental illness, those individuals cannot help if they are not informed. Additional amendments to the Privacy Rule consistent with these changes are also proposed.

Permitting Disclosures to Social Service Organizations

This proposed revision modifies 45 CFR 164.506(c) to add a new subsection(6), expressly permitting covered entities to disclose PHI to social services agencies, home and community based service providers, community based organizations, and other third parties that “provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider or health plan.”

Other Changes

Additional amendments to the Privacy Rule of note include: amending the definition of “health care operations;” allowing individuals to obtain free copies of their PHI when they inspect their records in person or request electronic copies through the internet; requiring covered entities to post a schedule of estimated fees for obtaining copies of health records on their websites and to provide patient with a fee estimate when they ask for copies of their records; eliminating the requirement of retreating providers to obtain a patient’s written acknowledgement of receipt of a HIPAA Notice of Privacy Practices, and expanding the Armed Forces permission to use or disclose PHI to all uniformed services.

(1.) Federal Register / Vol. 86, No. 12 / Thursday, January 21, 2021.

This article is intended as a summary of state and/or federal law and does not constitute legal advice.

This article was originally published in M.D. Update.