• Please search to find attorneys
Close Btn



HHS Proposes Significant Changes To HIPAA Privacy Rule

Earlier this month, the Department of Health and Human Services (through the Office of Civil Rights, or “OCR”) issued proposed changes to Health Insurance Portability and Accountability Act (“HIPAA”) under a Notice of Proposed Rulemaking that would impact both individuals and Covered Entities alike. The changes aim to increase patient access to their own health data and medical records, while also promoting care coordination and treatment of individuals. However, this increased flexibility is coupled with some heightened, more restrictive rules than those previously applied to Covered Entities. Covered Entities under the HIPAA Privacy Rule are generally health care providers, health plans, and health care clearinghouses. If your organization is a Covered Entity or a Business Associate (vendor) to a Covered Entity, these new proposed changes may impact your HIPAA policies and procedures, business associate agreements, internal and consumer facing materials, data disclosure practices and more. This alert briefly summarizes the proposed changes.

Care Coordination and Case Management Made Easier

One of the proposed changes would expand flexibility for Covered Entities to share Protected Health Information (“PHI”) with each other in order to integrate care and treatment for individuals. Care coordination and case management are oftentimes crucial components of an individual’s treatment. Currently, Covered Entities may share an individual’s PHI for treatment and health care operations purposes without the individual’s authorization, but “treatment” and “health care operations” only includes certain case management and care coordination activities. Under the proposed changes, care coordination and case management would not be limited under these definitions and, as a result, Covered Entities would generally be able to share PHI for individual-level care coordination and case management without individual authorization. Additionally, the proposed rule creates an exception to the “minimum necessary” standard that would relieve Covered Entities from the minimum necessary rule when sharing PHI for care coordination and case management activities.

HHS also included in the proposed rule a provision allowing Covered Entities to share PHI with community-based organizations, home and community-based service providers, social services agencies, and other similar third-parties providing health-related services without obtaining an authorization if the information is being shared for individual-level care coordination and case management. These organizations do not need to be health care providers (or otherwise a Covered Entity) in order to receive the information without an authorization under this provision.

Expansion of Individuals’ Rights

HHS has also sought to expand the individual right of access and right to direct PHI to third parties under HIPAA. Under HIPAA, individuals have the right to access, inspect and copy PHI held by a Covered Entity or Business Associate. HHS now proposes that this right be expanded in the following ways:

  • If electronic PHI is readily available through a standards-based API, Covered Entities must provide API access to individuals who request it;
  • Individuals may request electronic copies and have such requests fulfilled by having the copies transmitted to an individual’s personal health app;
  • Individuals must be allowed access to inspect or obtain copies of their own PHI free of charge when inspecting in person or accessing PHI on the Internet;
  • Covered Entities must provide advance notice of estimated fee schedules on their websites for common types of requests for copies of PHI, and Covered Entities must also provide individualized estimates of fees and itemized costs when they receive an individual request for such information; and
  • Covered Entities must respond to a request for access to PHI within fifteen (15) calendar days, instead of the previously permitted thirty (30) calendar days.

HHS also expanded individuals’ rights to direct copies to third parties. Under the proposed changes, Covered Entities must comply with an individual’s request to transmit electronic PHI in an electronic health record (“EHR”) to another Covered Entity. Individuals may make such a request either orally or in writing, as long as the direction is “clear, conspicuous, and specific.”

Finally, for purposes of verification of an individual’s identity associated with an access request, the proposed rule would restrict a Covered Entity from imposing unreasonable verification measures (such as notarization, proof of identity in person, or completion of a HIPAA-compliant authorization). Instead, verification measures for proof of identity must be reasonable for purposes of responding to an individual’s access request.

Disclosures During Emergencies

HIPAA currently allows the disclosure of PHI without individual authorization to avert a “serious or imminent” threat to health and safety. In order to make it easier to disclose PHI in an emergency situation and health crises, including serious mental illness and substance use disorder crises, HHS proposes that PHI could be subject to disclosure without authorization in order to avert a threat to health and safety that is only “serious and reasonably foreseeable.” Furthermore, Covered Entities would be permitted to disclose PHI under the proposed rule if, based on the Covered Entity’s “good faith belief,” the disclosure is in the best interest of the individual (replacing the current “professional judgment” standard).

Modifications to Notice of Privacy Practices and Acknowledgment of Receipt

Although Covered Entities are currently required to obtain written acknowledgement of receipt of the Notice of Privacy Practices, HHS now proposes to eliminate this requirement in order to ease the administrative burden and patient confusion associated with the Notice of Privacy Practices. While the Notice of Privacy Practices must still be provided, written acknowledgment of receipt is no longer required. In addition to eliminating this requirement, the proposed rule seeks to modify the content requirements of the Notice of Privacy Practices to clarify individual rights and how to exercise those rights. The proposed content changes include additional descriptions and instructions on access rights, new headers about individual rights, and availability of designated contact persons of the Covered Entity.


If you have any questions about how these proposed changes may impact your organization and its agreements, policies, and other processes, please contact a McGrath North Privacy & Cybersecurity attorney