OCR Issues Notice of Proposed Rulemaking Proposing Changes to HIPAA Privacy Rule

Baker Ober Health Law

Baker Ober Health Law

On December 10, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) announcing its plan to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. While only a proposed rule, this is significant news considering the current confusion regarding patient access to information and the substantial "lift" for health care organizations in interpreting and adopting the interoperability and information blocking regulations.

According to HHS Deputy Secretary Eric Hargan, the proposed changes to the Privacy Rule will "reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA's promise of privacy and security."

The proposed changes are designed to increase permissible disclosures of PHI, further redefine the Ciox decision, and promote interoperability, as a mechanism to further improve care coordination and case management. Major modifications proposed by HHS include:

  • Strengthening individuals' rights to access their PHI, including by reducing identity verification requirements, shortening covered entities' required response time, clarifying form and format required for responding to individuals' requests for PHI, creating pathways for the sharing of electronic health records between health care providers, specifying when electronic PHI must be provided to individuals at no charge, and requiring covered entities to post estimated fee schedules for access on their websites;
  • Clarifying the scope of covered entities' ability to disclose PHI to other health-related services;
  • Creating an exception to the "minimum necessary" standard which requires covered entities to limit use and disclosure of PHI to the minimum necessary to accomplish the purpose of such use or disclosure;
  • Replacing the "professional judgment" standard of deciding when to use and disclose PHI with a more permissive "good faith belief" of best interests of individual standard;
  • Expanding the standard for when covered entities may disclose PHI to avert a threat to health or safety; and
  • Modifying providers' Notice of Privacy Practices requirements.

Public comments will be due 60 days from publication in the Federal Register and may be made by mail or electronically here

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Ober Health Law | Attorney Advertising

Written by:

Baker Ober Health Law

Baker Ober Health Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.