According to HHS Deputy Secretary Eric Hargan, the proposed changes to the Privacy Rule will "reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA's promise of privacy and security."
The proposed changes are designed to increase permissible disclosures of PHI, further redefine the Ciox decision, and promote interoperability, as a mechanism to further improve care coordination and case management. Major modifications proposed by HHS include:
- Strengthening individuals' rights to access their PHI, including by reducing identity verification requirements, shortening covered entities' required response time, clarifying form and format required for responding to individuals' requests for PHI, creating pathways for the sharing of electronic health records between health care providers, specifying when electronic PHI must be provided to individuals at no charge, and requiring covered entities to post estimated fee schedules for access on their websites;
- Clarifying the scope of covered entities' ability to disclose PHI to other health-related services;
- Creating an exception to the "minimum necessary" standard which requires covered entities to limit use and disclosure of PHI to the minimum necessary to accomplish the purpose of such use or disclosure;
- Replacing the "professional judgment" standard of deciding when to use and disclose PHI with a more permissive "good faith belief" of best interests of individual standard;
- Expanding the standard for when covered entities may disclose PHI to avert a threat to health or safety; and
- Modifying providers' Notice of Privacy Practices requirements.
Public comments will be due 60 days from publication in the Federal Register and may be made by mail or electronically here.