HHS Proposes Significant Value-Based Care Changes to HIPAA Privacy Rule

As its days dwindle down, the current administration is mobilizing for one final push to reduce what it perceives to be unnecessarily burdensome regulation, including on the medical privacy front. On Dec. 10, the HHS Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA and HITECH Act Privacy Rule.

The Proposed Privacy Act Changes

As with the recent kickback regulations, the OCR Privacy Rule initiative is designed to clear the path for value-based health care. Specifically, the NPRM proposes to modify the Privacy Rule to expand the scope of permissible disclosures of protected health information (PHI), i.e., PHI disclosures permitted without the individual’s consent, to include disclosures that will promote care coordination and case management communications among individuals and labs, hospitals and other HIPAA covered entities. Key changes proposed:

  • Clarifying the definitions of the key terms “electronic health record” and “personal health application”;
  • Shortening the response time for patient health record requests from 30 days to 15 days (with a 15-day extension under limited circumstances);
  • Making it easier patients or their personal representatives to verify their identity when requesting access to their PHI or exercising another Privacy Rule right;
  • Creating an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures;
  • Clarifying the minimum necessary standard with respect to care coordination and case management activities;
  • Removing obsolete parts of the Notice of Privacy Practices (NPP) requirements;
  • Amending the permissible fee structure for responding to patient health record requests and requires covered entities to post estimated fees on their website for access and for disclosures with a patient’s authorization;
  • Making it easier for family and caregiver to be involved in the care of individuals experiencing emergencies or health crises; and
  • Modifying provisions on individuals’ rights of access to PHI.


The deadline to comment on the NPRM is March 11, 60 days after its publication in the Federal Register. If it’s finalized—and that’s a big “if” considering that a new administration will be in control—the final rule would take effect 60 days after it’s published. Labs and other covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. Among other things, you’d then have to:

  • Update your information privacy policies and procedures and train lab employees on the changes;
  • Revise your Notice of Privacy Practices; and
  • Renegotiate business associate agreements to comply with the new requirements. National Lab Reporter (NLR) will keep an eye on things and explain how to do each of the above when and if it appears that the changes are really going to happen.

You have 2 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters today!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!









Try Premium Membership