On December 10, OCR issued a Notice of Proposed Rulemaking (NPRM) outlining its plan for major changes to the HIPAA Privacy Rule, which governs the way that most individual protected health information (PHI) can be used in the United States. The proposed changes are part of a number of recent changes, including changes to telehealth reimbursement, fraud and abuse laws and regulations and other Medicare reimbursement systems which have the purpose of allowing providers to participate more effectively in care coordination and increasing patient and provider opportunities to be more responsive and proactive in managing patient care.
The NPRM has several highlights:
- Simplifying patients’ access to their own PHI, including shortening response times for requests to access;
- Facilitating patient requests to share electronic health records (EHRs) between providers;
- Amending fee schedules for patient requests for copies of PHI;
- Eliminating the requirement for written acknowledgement of receipt of a Notice of Privacy Practices;
- Allowing a wider scope of permitted uses and disclosures for care coordination and care management; and
- Lowering the standard for disclosures of PHI to avert a threat to health and safety to “serious and reasonably foreseeable” (the current standard is "serious and imminent").
The NPRM is open for public comment for 60 days from the date on which it was first published in the Federal Register. The NPRM was made available via the OCR website starting on December 10, but has not yet appeared in the Federal Register. Since the deadline for the comment period and any final rulemaking would be beyond the inauguration date for the Biden Administration, it is unknown whether the Biden Administration will continue this push towards loosening rules or reflect the priorities found in the NPRM.