Skip to Main Content.

The Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the “NPRM”) to modify the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to facilitate the individual right of access and to ease the administrative burden for providers. The Privacy Rule protects the privacy and security of an individual’s medical records and protected health information (PHI). The period for submitting comments to the NPRM, originally set to expire March 22, 2021, has been extended by 45 days; the new deadline is April 6, 2021.

The NPRM modifies the current Privacy Rule in several significant ways. First, the rule strengthens a consumer’s right to access his or her own health information, including electronically stored medical information. Second, the NPRM will increase the ability to share necessary information for care coordination and case management. Third, the NPRM will allow for greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises. Finally, the NPRM aims to reduce the administrative burdens on HIPAA-covered health care providers and health plans.

1. Strengthening Consumer’s Rights

Under the NPRM, the current Privacy Rule provisions regulating an individual’s right to access his or her PHI will be modified to allow for greater access to the individual’s specific PHI. Under the proposed rule, individuals will be allowed to take notes or use other personal resources to view and capture images of their PHI. Further, the response time for covered entities to provide PHI will be shortened from 30 to 15 calendar days. Additionally, covered entities will be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered instead of a copy. And finally, the NPRM would require covered entities to make some PHI requests for free while others will still be provided for a fee. In order to provide maximum transparency to consumers, the covered entities will now be required to post these estimated fee schedules publicly.

These proposals are directly in line with the HHS Office of Civil Rights’ (OCR) enforcement of its “Right of Access Initiative,” which has resulted in 16 resolution agreements with covered health care providers since September 9, 2019, for failing to provide individuals with timely access to their PHI. The most recent settlement agreement was with Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers , which operates four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan. Sharp agreed to pay the OCR $70,000 to resolve allegations it failed to take timely action in response to a patient’s records access request directing that an electronic copy of PHI in an electronic health record be sent to a third party on two separate occasions.

2. Sharing of Information

The NPRM would create an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosure. Under the current standard, covered entities are required to limit the use and disclosure of PHI to the minimum amount necessary to accomplish the purpose of the disclosure. The new exception provided by the NPRM would remove the applicability of this minimum necessary standard for individual-level care coordination and case management uses and allow for easier sharing between health plans and health care providers. This will increase each entity’s ability to provide better care coordination and case management by allowing more information to be shared about a patient without fear of violating the Privacy Rule.

3. Greater Involvement of Family and Caregivers

During the opioid crisis, the federal government has continuously sought advice on how to modify the HIPAA Privacy Rule to better promote family involvement in the care of loved ones experiencing serious health situations. One solution that is addressed in this NPRM is to amend five provisions of the Privacy Rule to replace “the exercise of professional judgment” standard with a standard permitting disclosure based on a “good faith belief” about an individual’s best interest. This will allow for family members, loved ones, and caregivers to be better informed about the patient’s ongoing health crisis and to have a more active role in facilitating their care.

4. Reducing Administrative Burdens

Currently, covered health care providers are required to provide a Notice of Privacy Practices to each individual who receives care, which provides details of how his or her PHI will be used or disclosed by the such providers. If these providers are unable to obtain the written acknowledgment, they must document their good faith effort to do so and the reason for not obtaining an individual’s acknowledgment. This signed document or good faith effort is required to be retained for at least six years. Pursuant to the NPRM, this requirement would be eliminated for covered health care providers with a direct treatment relationship to an individual and would also remove the requirement to retain copies of the documents for six years.

Instead of utilizing a written acknowledgment of the Notice of Privacy Practices, the NPRM would codify an individual’s right to discuss the privacy practices with the covered entity’s designated contact person. The name or title and contact information must be provided to the patient for the designated person. Further, the document provided to the patient must now provide additional information on how to access the patient’s health care information, file a HIPAA complaint, and the right to receive a copy of the notice and discuss it with the covered entity’s designated contact person. This will raise an operational need for covered entities to identify designated contact persons and make them available to discuss with patients their applicable privacy rights.

5. Conclusion

The implementation of these new privacy rules will certainly have a significant impact on covered entities under HIPAA, including health care providers and health plans. We recommend those affected by these proposed changes review the NPRM to determine whether additional comments should be submitted to further modify or eliminate any of the proposed changes. If you have questions about this NPRM or any other regulatory requirements, Frost Brown Todd’s Insurance Regulation & Risk Management, Labor and Employment, or Health Care Innovation teams can help. Please contact Matt Wagner (513.651.6978;, Peggy Shukairy (513.651.6150;, Bill Williams (317.237.3815;, or Brian Higgins (513.651.6839; for more information.

*This article was updated to reflect the OCR’s 45-day extension of the public comments period, the new deadline for which is April 6, 2021.