MIPS: New HIPAA Proposed Rule: High-Level Summary

On January 21, 2021 the Department of Health and Human Services (HHS) officially released a proposed rule to revise the HIPAA Privacy Rule. While none of these changes can be finalized until after the public comment period has ended and HHS has reviewed the comments and written a final rule, the proposed changes are staggering.

This blog post will present a high-level summary as Part 1 of our multi-part series breaking down the proposed changes to the HIPAA Privacy Rule.

For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible.

Background on This Proposed Rule

Over the past several years, there has been a coordinated push to increase patient access to and ability to use their health information. In this Proposed Rule, HHS moves to expand and strengthen the patient Right of Access, align HIPAA with Information Blocking rules, and modernize HIPAA rules in the age of digital health. HHS Secretary, Alex Azar, predicts that the “proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long”.

When Would These Changes Need to Be Implemented?

HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.

Expanding the Individual (Patient) Right of Access

  • Identity Verification: In this Proposed Rule, HHS proposes to expressly prohibit covered entities from imposing unreasonable verification measures on an individual exercising a right under the Privacy Rule. An unreasonable measure is one that causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity.
  • Personal health application: This new proposed term under HIPAA refers to direct-to-consumer applications used for the patient’s own purposes, such as to monitor their own health status and access their own PHI using the app. These are not and will not be subject to HIPAA privacy and security policies.
  • Right to Inspect PHI: HHS proposes to expand the individual’s Right of Access to their PHI to include the right to view, take notes, take photographs, and use other personal resources to capture the information.
  • Response Timeliness: HHS proposes to shorten the amount of time a covered entity has to fulfill a request for access to 15 calendar days with one potential additional 15-day extension (currently, covered entities have 30 calendar days with one 30-day extension permitted).
  • Third Party Directives: The Proposed Rule expressly provides individuals with the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR directly to a third party designated by the individual.


  • Fee Limitations: The Proposed Rule describes categories of access for which covered entities cannot charge a fee. No fee can be charged when an individual inspects their PHI in person or uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity. Regarding an access request to direct an electronic copy of PHI in an EHR to a third party, the Proposed Rule specifies that covered entities can only a charge a fee for the labor for copying the PHI and for preparing an explanation or summary of the PHI if the individual has agreed to such summary.
  • Notice of Access and Authorization Fees: The Proposed Rule adds a requirement that covered entities provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization.

Notice of Privacy Practices

  • Notice of Privacy Practices: The Proposed Rule eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). The Proposed Rule also modifies the content requirements of the NPP to clarify individual rights with respect to their PHI and how to exercise those rights.


  • Health Care Operations: The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations.
  • Minimum Necessary Standard: Proposes an express exception to the “minimum necessary” standard for disclosures to or requests by a health plan or covered health care provider for care coordination and case management. (Applies for individual-level, not population-level).
  • Telecommunications Relay Services: HHS proposed to expressly allow covered entities to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of covered entities and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant.
  • Mental Health and Substance Use Disorder: This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).
  • Care Coordination: HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services, in furtherance of the coordination and management of individuals’ care.

More Blogs on the HIPAA Privacy Proposed Rule

Part 2: Individual Right of Access Deep Dive

Part 3: Permitted Fees

Part 4: Disclosures

More Information on the Related ONC Information Blocking Requirements (Compliance Date April 5, 2021)

Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5.

On April 5, we will post a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back.