Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

Laura M. Cascella, MA, CPHRM

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.¹

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.²

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”³

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”⁴

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).⁵

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.⁶

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

• Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
• Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
• Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
• Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
• Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.⁷

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.⁸ The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity's HIPAA policies and procedures and who are acting within the scope of their authority.”⁹

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.¹⁰

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.¹¹

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.¹² Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

• Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
• Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
• Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
• Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
• Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with the 30-day timeframe to identify potential obstacles for future compliance.
• Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
• Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.¹³

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.

---

¹ Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from www.mcguirewoods.com/events/firm-events/2021/10/preparing-for-major-hipaa-changes-in-2022; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from www.jdsupra.com/legalnews/hipaa-privacy-rule-modification-7104453/

² Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from https://thehipaaetool.com/hipaa-changes-ahead/; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from www.theregreview.org/2021/08/16/allen-hipaa-at-25-remains-a-work-in-progress/

³ Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).

⁴ Ibid.

⁵ Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.

⁶ Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.

⁷ Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from https://compliancy-group.com/proposed-changes-to-hipaa-privacy-rule/

⁸ Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.

⁹ Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.

¹⁰ Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.

¹¹ Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.

¹² Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.

¹³ Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

---

Prevention & Education Center home