Proposed Changes to HIPAA Privacy Rule
In early December, the Department of Health and Human Services proposed changes to the Privacy Rule provision of HIPAA.
One change modifies the requirement that individuals have access to their personal health information (PHI). Under the current Privacy Rule, covered entities must provide individuals the ability to access, copy, and inspect their PHI. The proposed rule expands this requirement in multiple ways, including shortening the covered entity’s deadline to respond to requests from 30 days to 15 days; prohibiting covered entities from charging fees for providing electronic PHI; and allowing individuals to use their own resources and devices to copy their PHI (for example, through image capturing) in order to provide easy access and limit fees.
In addition to expanding an individual’s right to his or her own PHI, the proposed regulations also expand an individual’s right to direct his or her PHI to a third party, clarifies when covered entities can disclose PHI for care coordination and case management, and broadens when covered entities are permitted to disclose PHI during an emergency.
This proposed rule is subject to a 60-day comment period before finalization. Once the final rule is published, covered entities will have 240 days before the changes will be enforced.