On December 10, 2020, the HHS Office of Civil Rights (OCR) announced proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Among other changes, the proposed rule would shorten the required response time to 15 days for a covered entity to provide PHI to a patient. In a press release, HHS stated that the changes would “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”
Notably, the proposed rule would shorten the required response time for covered entities to provide PHI requested by a patient to no later than 15 calendar days (from the current 30 days) with the opportunity to extend for no more than 15 additional calendar days (from the current 30-day extension). The proposed rule also includes the following proposed changes aimed at making PHI more easily accessible to patients:
- Allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
- Reducing the identity-verification burden on individuals exercising their access rights;
- Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access; and
- Clarifying the scope of permitted uses and disclosures for individual-level care coordination and case management.
The proposal would amend the HIPAA Privacy Rule to increase permissible disclosures of protected health information and improve care coordination. According to HHS, the proposed modifications include “strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.”
OCR encourages comments from “all stakeholders” including HIPAA covered entities, consumer advocates, health information technology vendors, health care professional associations, government entities, and patients and their families.
Public comments are due 60 days after publication of the proposed rule in the Federal Register. The proposed rule is available here. The press release from HHS is available here.