Proposed HIPAA Modifications

On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. HIPAA is the set of laws that protect the use and/or disclosure of individual health information. Part of the HIPAA modification process includes solicitation of public comments on the proposed changes. Public comment is solicited through a Notice of Proposed Rulemaking (NPRM).

The proposed changes to HIPAA generally include, “strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.” The HHS has announced that the purpose of the proposed HIPAA changes is to reduce burdens on providers, empower patients to secure better health, and promote coordinate, value-based healthcare.

More specifically, some of the proposed HIPAA changes include:

• Disclosure of protected health information (PHI) in the best interests of individuals experiencing emergencies or health crises, including serious mental illness and substance use disorder crises. This proposed change would modify the standard for disclosures from a covered entity’s “professional judgment” to its “good faith” belief that the disclosure is in the patient’s best interest.
• Disclosures to prevent harm or lessen a threat of harm. This proposed change would modify the standard when a covered entity can disclose PHI. The current standard allows disclosure of PHI if there is a “serious and imminent” threat to health or safety. The proposed changed standard would allow disclosure of PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable.”
• Care coordination and exception to the minimum. The proposed changes would modify the definition of “health care operations” to clarify that it includes care coordination and case management for individuals. The proposed changes would also add an express exception to the minimum necessary standards for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for individuals.
• Disclosures to facilitate care with social and community services. This proposed change is intended to clarify and expressly allow covered entities to disclose PHI to third parties that provide or coordinate health-related services needed for care coordination and case management.
• Notice of privacy practices (NPP). This proposed change would eliminate the requirement for a covered entity to obtain an individual’s written acknowledgement of receipt of a direct treatment provider’s NPP, and the requirement to retain copies of such documentation for six years. This proposed change would also modify the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise their rights.
• Telecommunications relay service. This proposed change would expressly allow disclosures of telecommunications relay service communications assistants, and would modify the definition of “business associate” to exclude telecommunications relay service providers.
• Uniformed services. Under current regulations, a covered entity may use and disclose the PHI of Armed Forces personnel for activities deemed necessary by appropriate military command authorities. The proposed change would extend the permission to disclose PHI of Armed Forces personnel to that of the U.S. Public Health Service Commissioned Corps and the National Oceanic and Atmospheric Administration Commissioned Corps, which are considered part of the Uniformed Services but not the Armed Services.

For a more detailed explanation of the proposed changes, visit the HHS’s Fact Sheet.

Sources:

HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens | HHS.gov

Fact Sheet on Proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens (hhs.gov)