On December 10, 2020, the Department for Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry.
The proposed changes are part of HHS’s Regulatory Sprint to Coordinated Care, which seeks to promote value-based healthcare by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.
Some of these changes would include:
- Response Time Shortened: providers would need to provide patients with copies of records and fulfill access requests within 15 calendar days, with the possibility of a 15 calendar day extension.
- Facilitating Access Request Submissions: if a patient makes a request for their provider or health plan to obtain an electronic copy of PHI from another healthcare provider, the Requester-Recipient provider / health plan is required to submit the patient request to Discloser. The Requester-Recipient must make the submission on behalf of the patient as soon as possible but within 15 calendar days of receiving the request and any information necessary for submission to Discloser.
- Responding to Access Request Submissions: providers and health plans would be obligated to respond to specific records requests received from other healthcare providers / health plans on behalf of the patient and their right of access.
Fee Limits and Disclosures
- The fee structure for responding to requests to direct records to a third party would be amended under the proposed rule, and in certain circumstances the access and copies would be provided for free. It would limit the amount providers may charge to a cost-based fee and what may be included in such fees would be very limited. Providers would be able to charge more for fulfilling requests that are no longer within the right of access. Providers would be required to disclose estimated fee schedules on their websites, offer estimates of fees, and provide itemized bills for completed services.
Notice of Privacy Practices (NPP)
- Proposed rule would update specific requirements involving individuals’ rights to their PHI and how those rights are applied. Providers would need to update their current NPP text to match new rule and identify a NPP contact person for patient questions. Under the rule, providers would no longer be required to acquire patient’s signature to confirm receipt of provider’s NPP.
The changes are still in the Notice of Proposed Rulemaking (NPRM) stage. The final rule, if adopted, would take effect 60 days after publication in the Federal Register and compliance would be required 180 days after that, providing a 240-day compliance period.
These changes would require healthcare providers to revise their HIPAA policies, forms, and processes. Providers may also need to revise any business associate agreements, especially with regard to patient rights provisions.
For more information about the proposed changes to the HIPAA privacy rule, including how to submit public comments in the Federal Register, please visit the HHS website: