On December 10, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) announcing its plan to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. While only a proposed rule, this is significant news considering the current confusion regarding patient access to information and the substantial "lift" for health care organizations in interpreting and adopting the interoperability and information blocking regulations.
According to HHS Deputy Secretary Eric Hargan, the proposed changes to the Privacy Rule will "reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA's promise of privacy and security."
The proposed changes are designed to increase permissible disclosures of PHI, further redefine the Ciox decision, and promote interoperability, as a mechanism to further improve care coordination and case management. Major modifications proposed by HHS include:
- Strengthening individuals' rights to access their PHI, including by reducing identity verification requirements, shortening covered entities' required response time, clarifying form and format required for responding to individuals' requests for PHI, creating pathways for the sharing of electronic health records between health care providers, specifying when electronic PHI must be provided to individuals at no charge, and requiring covered entities to post estimated fee schedules for access on their websites;
- Clarifying the scope of covered entities' ability to disclose PHI to other health-related services;
- Creating an exception to the "minimum necessary" standard which requires covered entities to limit use and disclosure of PHI to the minimum necessary to accomplish the purpose of such use or disclosure;
- Replacing the "professional judgment" standard of deciding when to use and disclose PHI with a more permissive "good faith belief" of best interests of individual standard;
- Expanding the standard for when covered entities may disclose PHI to avert a threat to health or safety; and
- Modifying providers' Notice of Privacy Practices requirements.
We anticipate assisting clients in crafting comments on the NPRM, which are necessary to ensure OCR understands many of the challenges the NPRM creates for health care organizations. Public comments will be due 60 days from publication in the Federal Register and may be made by mail or electronically here. For more information please contact Alisa Chestler or any member of Baker Donelson's HIPAA team.