Proposed Changes to the HIPAA Privacy Rule


By: Joseph Colette

The United States Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) has announced new changes to the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act (the “HIPAA Privacy Rule”).

The revisions to the HIPAA Privacy Rule address the following four vital areas: patients’ access rights to their personal health information (“PHI”), disclosures for care coordination and case management, disclosures in the best interest of the patient and to avert threats, and includes alterations to covered entities’ notice of privacy practices. 

Access Rights

According to the OCR, the proposed revisions to the Privacy Rule’s access rights strengthen individuals’ rights to access their own PHI, including electronic information. This proposed change will allow patients to direct the disclosure of their PHI to designated third parties (either orally or in writing), including the ability to receive their PHI via personal health applications — smartphone apps, for example — which are often developed and operated by third-party technology companies. One concern with this revision is the fact that these third-party companies are not subject to HIPAA, which may result in more frequent and damaging inadvertent exposures of PHI.

Under the revised rule, covered entities are also required to act on a patient’s request for access within fifteen (15) calendar days, as opposed to the current allowance of 30 days. Covered entities would also be required to have policies in place prioritizing “urgent or high priority” requests for access made by patients.

Covered entities would also be required to permit patients to take notes, pictures or videos of their PHI, unless otherwise prohibited by state law. Patients would now also have the right to access their PHI at their point of care in conjunction with a health care appointment, if a patient’s PHI is readily available.

In terms of the fees charged to patients for access to their PHI, covered entities would be disallowed from charging any fees if a patient views their PHI in person or uses a smartphone application to access their PHI.

Disclosures for Care Coordination and Case Management

Presently, the Privacy Rule authorizes covered entities to use and disclose PHI without a patient’s authorization for the purposes of treatment, payment, and health care operations. The proposed revisions amend the definition of “health care operations” to include all care coordination and case management (patient-level and population-based), and also permits the disclosure of PHI to third parties(including social services agencies, community-based organizations, home and community-based services providers, and other third parties providing health-related services) for patient-level care coordination and case management, as treatment or health care operations activities.

The revised rule also includes the addition of a “minimum necessary” standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

Disclosures in the Best Interest of Patients

Covered entities will now be allowed to disclose PHI to avert a threat to health or safety when the harm is considered “seriously and reasonably foreseeable.” The present definition is when harm is “serious and imminent.” The proposed rule also provides additional deference to determinations by providers assessing whether a patient’s behavior is a threat to health or safety. Covered entities will also be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the patient.

Notice of Privacy Practices

HIPAA covered entities will no longer be required to obtain written confirmation that a Notice of Privacy Practices (“NPP”) has been provided to patients. Instead, the proposed rule creates a right for patients to discuss the NPP with a designated contact at the covered entity.

The public comment period on the proposed revisions to the HIPAA Privacy Rule ended on May 6, 2021 and the final rule is expected to have an effective date sixty (60) days after publication and a compliance date starting 180 days later.

For more information, please contact Joseph Colette at