Highlights
-
The Office for Civil Rights has proposed numerous changes to the HIPAA Privacy Rule
-
Among proposed changes are expanding an individual’s access to protected health information, eliminating the Notice of Privacy Practices acknowledgment, and giving more flexibility for several types of disclosures
-
The public has 60 days to submit comments; once a final rule is issued, policies and procedures must be modified and training must be issued to remain in compliance
On Dec. 10, 2020, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a notice proposing a number of significant changes to the HIPAA Privacy Rule.
Most of the proposed changes fall into three areas: 1) expanding an individual’s access to protected health information (PHI), 2) modifying Notice of Privacy Practices requirements, and 3) allowing more flexibility for disclosures about patients experiencing substance use and mental health disorders.
The public has 60 days to comment on these proposed changes. After considering all comments, the OCR will likely issue a final rule. Once a final rule is issued, covered entities and business associates must modify their policies and procedures to comply with the changes and train their workforce on the new policies.
Expanding Access to Protected Health Information
The OCR proposes shortening the deadline for covered entities to provide an individual with access to PHI. The current deadline is 30 days, with one 30-day extension allowed. The new deadline would be “as soon as practicable,” but no later than 15 calendar days after receipt of the request, with the possibility of one 15-day extension.
Covered entities would be required to have policies prioritizing urgent requests. In addition, the OCR proposes the following changes on access to PHI:
-
Individuals would have the right to personally inspect and take notes, videos, and photographs of their PHI using their own resources.
-
A covered entity must facilitate a patient’s request for PHI in certain cases. For example, a patient seeing Dr. B for the first time could require Dr. B to contact the patient’s current physician, Dr. A, and direct Dr. A to provide electronic copies of the patient’s PHI in an electronic health record back to Dr. B
-
Individuals would have the right to access electronic PHI through their personal health applications (apps)
-
Changes to the permissible fees that covered entities may charge individuals, depending on how access is requested
-
Clarification on the documentation and identity verification a covered entity may require from individuals seeking access
Changes to the Notice of Privacy Practices
The proposed rule would eliminate the mandate to obtain an individual’s written acknowledgment of receipt of the Notice of Privacy Practices. It would also change some content, including the required header.
Disclosures For Patients With Substance Use and Mental Health Disorders
The OCR does not propose new exceptions for disclosing PHI, but would modify the standard for existing exceptions. Currently, there are five exceptions allowing disclosure to a third party, such as friends or family, if the provider believes it is in the patient’s best interest as determined by the provider’s “professional judgment.” Instead, the OCR’s new rule proposes to replace “professional judgment” with a standard based on the good faith belief of the covered entity. The OCR states this is a lower standard, which would allow for more disclosures.