HHS has proposed several important changes to the HIPAA Privacy Rule to bring it in line with HHS’s Sprint Toward Coordinated Care initiative. These proposed changes are not yet final. Comments on the proposed rules are due within 60 days of their publication in the Federal Register.
- Reducing the time that covered entities have to respond to a patient’s request to access his or her medical records to 15 calendar days (with the possibility of a 15 day extension);
- Allowing an individual to take notes, videos, and photographs, and use other personal resources to capture Protected Health Information (“PHI”) in a designated record set when accessing PHI in person;
- Changing the fee structure applicable to requests for access to PHI and adding a requirement that covered entities provide advance notice of approximate fees for copies of PHI;
- Modifying the definition of “health care operations” to clarify that the term encompasses both individual-level and population-based care coordination and case management activities by health plans and covered health care providers;
- Adding an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for an individual;
- Expressly allowing covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management;
- Replacing the “professional judgment standard” with a “good faith standard” for certain disclosures of PHI allowed in the Privacy Rule;
- Eliminating the requirement for a direct treatment provider to obtain written acknowledgment of receipt of the Notice of Privacy Practices (“NPP”) and adding an individual right to discuss the NPP with a person designated by the covered entity;
- Expressly allowing covered entities and their business associates to disclose PHI to telecommunications relay service communications assistants; and
- Expanding the current Armed Forces exception for covered entities to use and disclose PHI for mission requirements and veteran eligibility to all uniformed services personnel.