August 15, 2022

Volume XII, Number 227


August 15, 2022

Subscribe to Latest Legal News and Analysis

The Tortoise and the Hare? HIPAA Joins the Regulatory Sprint to Coordinated Care


On 10 December 2020, the Office of Civil Rights (OCR) for the federal Department of Health and Human Services (the Department) issued Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement (the Proposed Rule).The Proposed Rule comes nearly two years after OCR issued a Request for Information from stakeholders regarding the ways that HIPAA could be modernized to support coordinated, value-based care.OCR includes numerous proposed changes to the HIPAA Privacy Rule intended to eliminate regulatory barriers for purposes of fostering care coordination and the shift to value-based care models, including clarifying the scope of care coordination for disclosures of protected health information (PHI) under the health care operations and treatment exceptions, and creating an exception to the minimum necessary standard for disclosures related to care coordination and case management. 

This rulemaking development is on the heels of other Department agencies finalizing similarly oriented companion rules through the Centers for Medicare and Medicaid Services (CMS) final rule updating the physician self-referral law (or Stark Law),3 and the Office of Inspector General (OIG) final rule creating new safe harbors under the federal Anti-Kickback Statute,4 each of which created new regulatory protection for value-based arrangements in which entities can come together to care for a target population. With proposed changes to an individual’s right of access to their PHI, the Proposed Rule also appears timed with companion rules from CMS and the Department’s Office of the National Coordinator for Health Information Technology (ONC) that promote electronic medical record interoperability, prevent information blocking, and expand patient access to information.5 Lastly, these proposed regulatory changes would advance OCR’s views expressed through a recent series of investigations and enforcement actions under the agency’s “right of access initiative.”6

Promoting Care Coordination

Key proposed changes to the HIPAA Privacy Rule to drive care coordination include the following:

  • Clarifying the definition of “health care operations” to more clearly state that it permits all care coordination and case management efforts by health plans, including where such efforts are individual-based, such as following up with an individual patient regarding his or her treatment plan;

  • Creating a new exception to the “minimum necessary” standard for disclosures of PHI pursuant to individual-based care coordination and case management efforts between health plans and health care providers; and

  • Clarifying that covered entities may disclose PHI to third parties for individual-based care coordination and case management purposes without first obtaining an express authorization from the patient.

Expanded Right of Access

Key proposed changes in line with OCR’s recent enforcement priorities include the following:

  • Allowing patients to inspect and even take notes and photographs of their PHI;

  • Requiring covered entities to respond to patient requests within 15 days as opposed to 30;

  • Reducing covered entities’ burden of identity verification with respect to patients requesting access to their health records;

  • Clarifying parameters around the costs covered entities are permitted to charge for providing access to health records, and rquire the disclosure of such fee schedule information; 

  • Clarifying an individual’s right to direct copies of their PHI to third parties, and limit that right to electronic copies of PHI; and

  • Clarifying the responsibilities of business associates in providing patient access to health records.

Additional Flexibilities

Finally, key proposed changes to permit additional flexibility in the non-care coordination setting include:

Encouraging Disclosure to Avert a Health or Safety Threat

  • To facilitate disclosures in emergency circumstances, which OCR states include the opioid and COVID-19 public health emergencies, the Proposed Rule would relax the standard for disclosure of PHI to avert a threat to health or safety from when there is a “serious and imminent threat” to when harm is “serious and reasonably foreseeable.” 

Notice of Privacy Practices

  • OCR proposes to eliminate the requirement to obtain an individual’s written acknowledgement of receipt of a provider’s Notice of Privacy Practices (NPP) and to add new required elements for inclusion in the NPP. 

These changes are anticipated to have a significant impact on health care providers and other stakeholders that may have been hesitant to engage in certain care coordination arrangements because of concerns that the requisite information sharing may not be permitted under HIPAA, and introduce new requirements that will require resources to implement. Interested parties will have sixty (60) days from the date the Proposed Rule is formally published in the Federal Register to comment, with comments due likely in late February 2021 depending on the date of formal publication. 


1 OCR Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, (11 Dec. 2020), formal publication pending in the Federal Register. 

2 See OCR Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, 83 Fed. Reg. 64302 (14 Dec. 2018). 

CMS Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77492 (2 Dec. 2020).

OIG Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77684 (2 Dec. 2020). 

See CMS Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers, 85 Fed. Reg. 25510 (1 May 2020); and ONC 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (1 May 2020). 

See OCR Press Release OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative, (19 Nov. 2020).

Copyright 2022 K & L GatesNational Law Review, Volume X, Number 357

About this Author

 Rebecca M. Schaefer healthcare & Transactional Attorney K & L Gates Law Firm North Carolina

Rebecca Schaefer is a partner at the firm’s Research Triangle Park office. She is a member of the health care practice group, focusing her practice on healthcare regulatory and transactional matters. Ms. Schaefer has specialized knowledge of issues affecting academic medical centers, including those related to faculty practices, clinical research, mission support, governance and privacy. She provides counseling to health systems, physician practice groups and in-house pharmacies related to strategic affiliations, joint ventures, and compliance matters.  

Prior to...

Jacqueline B. Hoffman Health Care Attorney K&L Gates Dallas, TX

Jacqueline Hoffman is a partner in the firm’s Dallas office. She is a member of the health care and FDA practice group. Ms. Hoffman has experience in the areas of hospital operations and transactions, physician contracting, regulatory compliance and privacy. In her current practice, she provides counseling to healthcare providers including hospital systems, DME providers, IDTFs and pharmacies related to compliance and transactional matters. She is also board certified as a health lawyer in Texas.

Professional Background

Prior to joining the firm, Ms. Hoffman served as...


Macy Flinchum is an associate in the firm’s Research Triangle Park office. Ms. Flinchum’s practice focuses on health care regulatory and transactional law for hospitals, health systems, academic medical centers, and other health care providers. Her scope of work includes analysis of potential Stark Law and Anti-Kickback matters; government investigation and inquiries; HIPAA and EMTALA compliance; and assisting clients with various operational matters, including contracting, medical staff issues, and risk management issues.

Hannah Maroney HealthCare Lawyer K&L Gates

Hannah Maroney is an associate at the firm’s Research Triangle Park office. She is a member of the health care practice group.

Prior to joining the firm, Hannah served as an attorney at a business law firm where she practiced primarily in the area of health law with a focus on regulatory, transactional, and managed care issues. In addition, Hannah has experience working in litigation. Hannah also served as a law clerk to U.S. Magistrate Judge Joi Elizabeth Peake in the United States District Court for the Middle District of North Carolina. During law school, Hannah served as...