Privacy and Security

HHS Proposes Modifications to the HIPAA Privacy Rule

The US Department of Health and Human Services (HHS) today unveiled a Notice of Proposed Rulemaking (NPRM) that, if enacted, would modify provisions in the HIPAA Privacy Rule, particularly in areas impacting enforcement and compliance for business associates of covered entities.

Part of HHS’s Regulatory Sprint to Coordinated Care, the proposed modifications are also intended to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry, according to a press release issued by the agency.

Key modifications include:

  • Strengthening patient access to their own health information and that of family and loved ones, as well as data sharing for care coordination purposes
  • Broadening flexibilities for disclosures in emergency situations or during existing public health threats
  • Mitigating administrative burdens on HIPAA-covered providers and payers
  • Limiting or prohibiting use of protected health information for sales, marketing, and fund-raising
  • Expanding enforcement provisions
In a public statement, AHIMA CEO Wylecia Wiggs Harris, PhD, CAE, praised the release of the NPRM.

“We are pleased to see the long-awaited release of the Office for Civil Rights (OCR) proposed modification to the HIPAA Privacy Rule that aims to empower patients and enhance care coordination,” she said. “In particular, we are pleased the rule proposes strengthening the individual right of access under HIPAA. We are also pleased it seeks to clarify how an individual’s right to direct their protected health information (PHI) to a third party should be treated. In certain instances, this has led to delays in individuals being able to access their medical record.

“We also look forward to reviewing OCR’s proposal to clarify the scope of covered entities’ ability to disclose PHI to social service agencies or community-based support programs. As social determinants of health increasingly become a priority for many providers, the sharing of information across clinical and non-clinical settings may include PHI. This makes it critically important to prioritize the privacy, security, and confidentiality of this sensitive information.”

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities.

A public comment period will be open for 60 days after the publication of the NPRM in the Federal Register.

Tags: HIPAA