The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The new proposed HIPAA Privacy Rule announced by OCR in December 2020 are far-reaching and affect almost everyone that interacts with the health care system. The proposed HIPAA regulations are as follows:

• Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
• Changing the maximum time to provide access to PHI from 30 days to 15 days.
• Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
• Individuals will be permitted to request their PHI be transferred to a personal health application.
• States when individuals should be provided with ePHI at no cost.
• Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
• HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
• HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
• Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
• Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
• The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy practices has been provided has been dropped.
• Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
• Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
• The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
• The definition of healthcare operations has been broadened to cover care coordination and case management.
• The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
• A definition has been added for electronic health records.

The proposed changes to the HIPAA Privacy Rule are a cause of concern for many covered entities, business associates, and patient privacy advocates due to the potential impact the proposed changes will have on the privacy and security of healthcare data, the economic burdens the changes may place on healthcare providers.

While some of the proposed changes to the HIPAA Privacy Rule are intended to ease the administrative burden on healthcare organizations, when the Final Rule is published, considerable time and effort will need to be put into implementing the changes. There will be a need to update HIPAA policies and procedures and communicate those changes to patients and health plan members. Employees will need to be given further HIPAA training, as the HIPAA Privacy Rule requires training to be provided whenever there is a material change to HIPAA policies. Training courses will need to be updated, and providing training to the workforce has the potential to cause workflow disruptions.

The Privacy Rule has largely been concerned with restricting the uses and disclosures of PHI. The latest HIPAA changes introduce new requirements to make healthcare information flow more freely and improve access rights for patients. Implementing those HIPAA changes could well create challenges for healthcare organizations. The Office for Civil Rights has been cracking down on violations of the HIPAA Right of Access when timely access to medical records in a designated data set is not provided. The time frame for providing those records has been shortened. Based on the number of financial penalties for HIPAA Right of Access violations, many healthcare providers have struggled to provide records within 30 days, so providing the records within 15 days will be particularly challenging, especially considering the maximum extension has also been shortened to 15 days.

Another area of concern is the definition of electronic health record, which includes billing records. Billing records will need to be provided when individuals request a copy of their records. Billing records are often kept in a different system – not in the EHR – which could slow down the processing HIPAA Right of Access requests.

A definition has been added for Personal Health Application – an application used by an individual to access their health records. Healthcare organizations will be required to inform individuals about the privacy and security risks of sending their PHI to a third-party application, which is not required to have safeguards mandated by HIPAA. Healthcare providers are likely to have to develop their own patient warnings to ensure patients are made aware of the risks. A change has also been made which allows patients to orally request a copy of their PHI be sent to a third party. Healthcare organizations may struggle to implement the necessary changes to allow those requests to be processed correctly.

There has also been a change to the language of the HIPAA Privacy Rule regarding the need to provide copies of ePHI in the format requested by the individual. “Readily producible” copies of PHI now include copies requested through standards-based APIs using individuals’ personal health applications. It may not be easy for some healthcare providers to provide records in those formats, as they may be restricted by the EHR system they have implemented.

The new HIPAA regulations will allow patients to inspect their PHI in person and take notes and photographs. That too will create challenges, as patients will need to be allowed to inspect their PHI privately, and care will need to be taken to ensure they are not photographing PHI that they are not authorized to obtain – either their own or the PHI of others. HIPAA-covered entities will need to determine how best to provide that information. It may be necessary to create an area where records can be viewed electronically, and even to supervise individuals who are inspecting their PHI in person. In-person requests to inspect PHI will also need to be provided free of charge, even though providing in-person access has the potential to have a cost impact on a HIPAA-covered entity.

As these issues show, while the changes in many cases are minor, the implications for HIPAA-covered entities are considerable. It will likely take considerable planning and resources to implement all of the changes, update policies and procedures, and provide training to the workforce. Efforts to implement the new HIPAA changes will need to be initiated promptly after the Final Rule is published to ensure it is possible to be compliant with the new HIPAA regulations in 2022 and certainly by the effective date.

Although it is likely that all the new HIPAA regulations being proposed in the current NPRM will be adopted, a number of stakeholders, such as the American Hospital Association, have raised concerns about the proposed changed – particularly changes relating to a reduction in the maximum time allowed to respond to patient requests, allowing patients to photograph PHI, and transferring PHI to personal health applications.

It is unlikely that Covered Entities will have to immediately comply with the Final Rule, when the original Privacy Rule Final Rule was published in 2002, Covered Entities were given a year to make systems, policies, and procedures HIPAA compliant. Small health plans were given two years. If a Final Rule is published 2022, the OCR will allow a similar period of time for Covered Entities to make the necessary adjustments.