Officials at the Department of Health and Human Services (HHS) are proposing modifications to the HIPAA Privacy Rule to ease information sharing in emergencies. Some of the modifications being discussed would provide patients affirmative legal rights, and others would loosen restrictions on medical personnel. The timing of the discussions poses a challenge to the likelihood of implementation. Changes to the rules cannot be finalized before January 20, 2021, when President-elect Joe Biden will take office. Public comments are due 60 days after its publication in the Federal Register. HHS is seeking input from HIPAA-covered entities, other healthcare and technology stakeholders, consumers, activists, and patients. Trump Administration officials have touted these proposed changes as displaying a commitment to providing individuals with greater access to their health information and as a way to deregulate the health care industry.
The proposed rules give individuals greater rights. For example, individuals are permitted to use personal resources to view and capture images of their personal health information (PHI) when utilizing their right to inspect their PHI. The proposed rules would also require covered entities to inform individuals of their right to obtain copies of PHI when a summary of PHI is offered instead.
A change that would require significant guidance is the proposal to reduce the identity verification burden on individuals exercising their access rights considering HIPAA requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. The method of verification is left to the judgment of the covered entity. The proposed rules would require covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access. Providers would have less time to respond to individual access requests as the threshold would go from thirty days to fifteen days.
The proposed rules would allow covered entities’ greater agency to disclose PHI to “social services agencies, community-based organizations, home and community-based service providers, and other similar third parties that provide health-related services.” Currently, covered entities are permitted discretionary disclosures of PHI based on their professional judgment. The proposed rules would make the measure more subjective with a standard based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual.”
HHS officials believe that the proposed rules would help “reduce the burden on providers and support new ways for them to innovate and coordinate care on behalf of patients” while ensuring HIPAA’s promise of privacy and security.