Nearly 20 years to the day after the first HIPAA privacy regulations were announced, HHS has posted proposed revisions to HIPAA, evidence that even after twenty years, HIPAA privacy remains a work in progress. These proposed revisions are styled by HHS OCR as an attempt “to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”
The proposed changes to the HIPAA Privacy Rule include:
- strengthening individuals’ rights to access their own health information, including electronic information, by adding definitions for the terms “electronic health record” and “personal health application” and shortening covered entities’ required response time from 30 days to just 15 days.
- improving information sharing for care coordination and case management for individuals;
- facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises;
- enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and
- reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Notably, the proposed rule would allow providers acting in good faith to share patient health information related to opioid use, even if they don’t have training in substance abuse treatment. It also would expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is ‘serious and reasonably foreseeable,’ instead of the current stricter standard which requires a ‘serious and imminent’ threat to health or safety.
Public comments on the NPRM will be due 60 days after publication of the NPRM in the Federal Register (January 4, 2021). The NPRM may be viewed or downloaded from HHS’s website.