Changes to the HIPAA Privacy Rule

HIPAA Privacy Consultant

As all of you know, HIPAA is a moving target. Just when you think you understand what is going on, it changes.

By now, most of you have heard about the 21st Century Cures Act / Information Blocking Rule. This final rule will apply to most everyone in healthcare, with variable responsibilities. Healthcare developers, health information exchanges, and health information networks could face civil monetary penalties of up to $1,000,000.00 per violation. Complaints and investigations will be conducted by ONC (Office of the National Coordinator). Healthcare providers could face “appropriate disincentives” that will be established by HHS/CMS but have not been defined yet.

Information blocking can be best described as when EHI (electronic health information) has been requested and denied. I am not going to go into detail on the developers or information exchange side in this notification, but here are a few examples for healthcare providers:

  • Healthcare organization or hospital refusing to exchange information
  • Requiring a patient to sign a consent to exchange their information for treatment
  • Charging a patient for electronic access to their information
  • Delayed access to information when the information was available days before

When we speak of access or exchange of EHI, that does not mean share everything you have. This is based on the “request”. You will only be obligated to share what is requested. Remember the “minimum necessary” rule, these are similar guidelines.

This is a very complex rule, and more information can be found at:

There are eight exceptions to the information blocking requirement:

The proposed changes to the HIPAA Privacy Rule include strengthening patients’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

Summary of Major Provisions

HHS proposes to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:

  • Adding definitions for the terms electronic health record (EHR) and personal health application.
  • Modifying provisions on the individuals’ rightof access to PHI by:

○ Strengthening patients’ rights to inspect their protected health information (PHI) in person. Permitting individuals to take notes or use other personal resources to view and capture images of their PHI.

○ shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension)

○ clarifying the form and format required for responding to individuals’ requests for their PHI

○ requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy

○ reducing the identity verification burden on individuals exercising their access rights

○ creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR

○ requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access

○ limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR

○ specifying when electronic PHI (ePHI) must be provided to the individual at no charge

○ amending the permissible fee structure for responding to requests to direct records to a third party; and

○ requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

  • Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, (7) and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

To read more about this proposed rule and to read public comments submitted in response to the Notice of Proposed Rulemaking on Modifications to the HIPAA Privacy Rule:


If you need assistance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Security Rule Requirements Part 5, Business Associates § 164.308(b)(1)

June 15, 2021

Controlling Access to ePHI

August 15, 2021
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC