On December 10, 2020, OCR published a Notice of Proposed Rulemaking that specified the HIPAA improvements to the Privacy Rule according to replies to its December 2018 RFI. The suggested modifications are minimal and do not include the changes in the HIPAA Privacy Rule that healthcare sector stakeholders are lobbying for. The majority of the proposed HIPAA changes are somewhat small tweaks to reinforce patient PHI access, support data sharing, and relieve the management load on HIPAA-covered entities.
In 2021, OCR asked for comments on the proposed HIPAA changes for 60 days from the time it was published in the Federal Register. They added another 45 days to the comment period to allow healthcare sector stakeholders to analyze the proposed changes and give their comments. OCR has received responses, but it is not clear what was done with the responses. A final rule integrating the proposed changes wasn’t the Biden administration’s priority. The Trump administration, which started updating the HIPAA Privacy Rule, might issue a final rule in 2026. Nonetheless, it is probable that a Privacy Rule update may be postponed considering the present administration’s perspectives on more regulation.
The proposed HIPAA Privacy Rule updates are the following:
- Letting patients check PHI personally and take pictures or notes of their PHI.
- Reduce the allotted time from 30 days to 15 days to give access to PHI.
- Limiting the right of individuals to send ePHI to a third party to just ePHI that is kept in an EHR.
- Verifying that a person is allowed to instruct a covered entity to give their ePHI to a personal health app when asked by the person.
- Saying when individuals must be given ePHI at no cost.
- Requiring covered entities to notify people about their right to get or give copies of their PHI to a third party if a summary of PHI is provided rather than a copy.
- The Armed Forces’ authorization to use or share PHI to all uniformed services was broadened.
- A definition is included for electronic health records.
- Terminology change to broaden the capability of a covered entity to share PHI to avoid a risk to health or safety whenever harm is critically and practically foreseeable. (At the moment, it is only if harm is serious and certain.)
- A process is made for individuals to instruct the sharing of PHI kept in an EHR between covered entities.
- Covered entities won’t be demanded to get a written acknowledgment from a person that they have obtained a Notice of Privacy Practices.
- HIPAA-covered entities need to publish on their websites the estimated fees for PHI access and sharing.
- HIPAA-covered entities need to give personalized estimates of the fees to a person getting a copy of PHI.
- The definition of healthcare procedures is extended to include care coordination as well as case management.
- Covered healthcare providers and health plans need to take action on some records requests from other covered healthcare entities whenever patients ask for them.
- Covered entities will be allowed to use and disclose PHI depending on their good faith belief that it is for the good of the person.
- The inclusion of a minimum required standard exception for personal-level care coordination and case management uses and disclosures, whether or not the activities support treatment or health care procedures.
Approval of any changes in the final rule would mean healthcare providers should give their employees HIPAA training to get proper updates on guidelines and procedures.