The Health Insurance Portability and Accountability Act (HIPAA) contains Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule). The Privacy Rule applies to covered entities (i.e., (i) a health plan; (ii) a health care clearinghouse; and (iii) a health care provider who transmits any health information in electronic form in connection with a transaction for which DHHS has adopted standards). More specifically, the Privacy Rule broadly establishes national standards to protect individuals’ protected health information (PHI), by requiring certain safeguards, setting limits and conditions on the uses and disclosures of PHI, as well as giving individuals rights over their PHI. PHI is defined as individually identifiable health information (IIHI) that is:

• (i) transmitted by electronic media;
• (ii) maintained by electronic media; or
• (iii) transmitted or maintained in any other form or medium.

In January 2021, the Department of Health and Human Services (DHHS) issued a Notice of Proposed Rulemaking (NPRM) which proposes to modify the Privacy Rule. According to DHHS, the NPRM sought to modify HIPAA’s Privacy Rule to support individuals’ engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry. The NPRM estimated that the total cost saving from the proposed reform would be roughly $3.2 billion over five years.

NPRM Spotlight: Proposed Changes to the Right of Individuals to Access Their PHI

Of the nine different sections contained in the NPRM, the most extensive proposed changes involve changes to an individual’s right to access their PHI. These proposed changes include:

Adding definitions for electronic health record (EHR) and personal health application:

The NPRM defines an EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” Further, the NPRM proposes to define personal health application as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.” As stated in the NPRM, these proposed definitions would clarify the proposed modifications to the right of access.

Strengthening the access right to inspect and obtain copies of PHI:

DHHS proposes to enable individuals to use personal resources, such as taking notes, videos, and photographs, to view and capture PHI in a designated record set. These proposed changes are seen as a way to eliminate “persistent barriers” that individuals face when trying to inspect and/or obtain copies of their PHI.

Modifying the implementation requirements for requests for access and timely action in response to requests for access:

• Requests for access: The NPRM prohibits a covered entity from imposing unreasonable measures on an individual exercising the right of access that create a barrier to or unreasonably delay the individual from obtaining access.
• Timeliness: The NPRM requires that access be provided “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension. 

Addressing the form of access:

When a covered entity offers a summary in lieu of access, the covered entity must inform the individual that they retain the right to obtain a copy of the requested PHI if they do not agree to receive the summary.

Addressing the individual access right to direct copies of PHI to third parties:

The NPRM creates a separate set of provisions for the right to direct copies of PHI to a third party.

Adjusting permitted fees for access to PHI and ePHI:

DHHS plans to change the access fee provisions of the Privacy Rules to establish a fee structure with elements based on the type of access request.

Notice of access and authorization fees:

DHHS proposes to add additional regulations requiring covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization.

Impact of HIPAA Privacy Rule Update: Covered Entities

A final rule implementing these proposed changes to the Privacy Rule has not yet been announced. However, the final rule is expected to be posted in 2024. Although the proposed HIPAA Privacy Rule updates aim to relieve the administrative burden imposed on covered entities, in the short term, it undoubtedly will cause significant work for covered entities seeking to comply with these updates. To comply, covered entities will likely incur costs, update various policies and procedures, and also update workforce member training.