Proposed HIPAA Privacy Rule: The 9 Changes That Will Have an Immediate Impact on Lab Operations

On Dec. 10, with just a few weeks remaining in its tenure, the HHS Office for Civil Rights (OCR) proposed a series of changes to the HIPAA Privacy Rule. Public comments on the proposed rule were scheduled to close on March 22. Unlike many of the other midnight healthcare regulations adopted by the Trump administration, the Privacy Rule changes remain on track. But the new administration wants a little more time to study them. So, on March 9, the OCR announced that it was extending the comment period on the proposed rule for 45 days until May 6.

The 9 Key Changes

The point of the proposed rule, which takes up nearly 100 pages worth of 3-columned Federal Register text, is to give individuals greater access to their protected health information or electronic protected health information (which we’ll refer to collectively as “PHI” except where the context requires otherwise) while at the same time making it easier for providers to use and share that PHI to coordinate treatment, respond to emergencies and transition to value-based care. For most lab managers, the key part of the rule are the changes likely to have an immediate impact on operations. There are three groups of such changes affecting:

  • Patient PHI access rights;
  • Access fees; and
  • Notice of privacy practices.

Special ReportFREE White Paper: Avoiding 3 of the Most Deadly Anti-Kickback, Stark Law & EKRA Compliance Traps

These are today’s 3 most deadly compliance traps for clinical labs. Get caught in just one of these traps and it could cost your lab massive fines and penalties.

Every lab should review their compliance policies and practices on a regular basis to make sure they avoid falling into any of these costly traps. Find out what your lab needs to know and do to sidestep these expensive legal pitfalls in this FREE White Paper, Avoiding 3 of the Most Deadly Anti-Kickback, Stark Law & EKRA Compliance Traps.
Read Your Free White Paper Here

Patient PHI Access Rights (Changes 1 to 4)

There are four changes that would have a direct impact on your HIPAA compliance efforts with regard to patient access rights:

  1. Less Time to Respond to Access Requests

The proposed rule would cut the time of covered entities, including labs to meet patient requests to copy and access their records from 30 to 15 days. As under current rules, patients could request an extension. However, the extension period would also be reduced from 30 to 15 days.

  1. Need for Urgency Access Prioritization Rules

To comply with the proposed rule, labs will have to create written policies for prioritizing health and safety and other urgent requests. Although the 15-day response limit and extension periods would still apply, the policies must be designed to meet the request within the first 15-day period and thus eliminate the need for the extension.

  1. New Limits on Requests to Direct PHI to Third Parties

Some of the changes in the proposed rule would actually reduce your administrative load and simplify compliance. An example is the new set of limits on individuals’ right to direct you to transmit their ePHI to a third party in an electronic health record (EHR).

  1. New Access Request Submission Procedures

The proposed rule would require labs to submit an individual’s access request to another health care provider and get back the requested electronic copies of the person’s ePHI in an EHR. The requirement wouldn’t be automatic but would apply only if the individual made a “clear, conspicuous, and specific” request (which could be oral). Upon receiving such a request, the lab would have to submit it to the other provider within 15 calendar days.

Fee Limits & Disclosure for Third Party Requests (Changes 5 to 7)

The next group of changes likely to have an immediate operational impact involve the fees you can charge and the information you must disclose to individuals who ask you to direct their PHI to a third party.

  1. Revised Fee Limits

The proposed rule would impose limits on fees for responding to requests to direct records to a third party. Fees would also have to be “reasonable” and “cost-based.” However, you would be able to charge less restricted fees when fulfilling requests to send non-electronic copies of PHI in an EHR, or electronic copies of PHI that’s not in an EHR, to third parties.

  1. Free Access

Under the proposed rule, you’d also have to provide access to and copies of PHI free of charge when individuals:

  • Inspect PHI about themselves in person; or
  • Use an internet-based method to view or obtain a copy of PHI maintained by or on behalf of the lab).
  1. Posting of Fee Schedule

The proposed rule requires labs and other covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization. If individuals request it, you must also provide individualized estimates of fees for an individual’s request for copies of PHI, along with itemized bills for completed requests. In addition, upon request, you must make the fee schedule available in paper or electronic form at the point of care or at an office that’s responsible for releasing medical records.

Notice of Privacy Practices (NPP) (Changes 8 and 9)

When and if the proposed rule becomes final, you’ll have to revise your NPP and procedures for distributing it.

  1. NPP Text Revisions

The proposed rule includes a number of detailed revisions to current rules governing the content of the NPP, including statements about individuals’ rights PHI rights and how they exercise them. over their PHI and how to exercise those rights. In addition to incorporating the new language into the NPP, you’ll have to designate a person who’ll be available to discuss the NPP with the patient and list his/her contact information in the NPP.

  1. Signature No Longer Required

One change that would make life easier for you and your lab staff is the proposed elimination of the requirement to get an individual’s written acknowledgment of receipt of a direct treatment provider’s NPP.


If the proposed rule is finalized, it would take effect on July 4, 60 days after publication of the final rule in the Federal Register.