16 Dec HHS proposes major changes to HIPAA’s Privacy Rule
The U.S. Department of Health and Human Services (HHS) recently published proposed modifications to the HIPAA privacy rule, which, if finalized, would significantly impact Covered Entities’ responses to records requests. These proposed changes include:
- Strengthening an individual’s right to inspect their Protected Health Information (PHI) in person, including allowing the individual to take notes or use other personal resources to view and capture images;
- Shortening Covered Entities’ required response time to 15 days (from the current 30 days), with the opportunity for one additional 15-day extension;
- Clarifying the meaning of “form and format” required for responding to an individual’s requests for PHI;
- Reducing the identity-verification burden on individuals requesting their PHI;
- Creating a means for individuals to direct the sharing of PHI in an Electronic Health Record (EHR) among covered health care providers and health plans;
- Limiting the individual right to direct the transmission of PHI to third parties to electronic copies of PHI in an EHR, including when electronic PHI must be provided to the individual at no charge; and
- Revising the permissible fee structure for responding to requests to direct records to a third party and requiring Covered Entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and upon request, to provided individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
The revised regulations would also create an exception to the “minimum necessary” standard in order to facilitate care coordination and case management. The comment period is set to end on or around February 8, 2021. HHS will then evaluate the comments and issue a final rule. Once finalized, Covered Entities will have 180 days after the effective date to be in compliance.