December 14, 2020

On December 10, 2020, the Office for Civil Rights of the Department of Health and Human Services issued new proposed regulations relating to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Although these are only proposed regulations and should not require immediate changes for providers, if the regulations proposed are eventually finalized, most providers would need to modify procedures, policies, and other documents to comply with the regulations. Providers should watch for further regulatory action and be prepared to make necessary adjustments promptly if new regulations are finalized. This client advisory outlines some of the major changes outlined in the proposed regulations.  A copy of the proposed regulations may be found here.


The regulations include several proposals that could be helpful to providers. Those proposed revisions include:

•   Eliminating the obligation to obtain an individual’s written acknowledgment of receipt of a Notice of Privacy Practices (NPP). Covered entities would still have to provide the NPP but would not be required to obtain a patient’s written acknowledgment of receipt of the NPP when providing direct treatment.

•   Amending the definition of health care operations to clarify that health care operations can include both population-based care coordination and case management, as well as individual-level care coordination and case management.

•   Creating an exception to the “minimum necessary” standard to allow broader use and disclosure of PHI for individual-level care coordination and case management.

•   Including a new provision to further clarify that a covered entity may disclose PHI to a social services agency, community-based organization, home and community based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities.

•   Modifying the provisions of the privacy rule allowing disclosures based upon a provider’s “professional judgment” to instead allow disclosures based upon a good faith belief that the use or disclosure is in the best interest of the individual. Providers would be presumed to have acted in good faith in these cases, absent evidence of bad faith.

•   Revising current standards allowing disclosures to avert a “serious and imminent” threat to health or safety, to a standard allowing disclosures to avert “serious and reasonably foreseeable” harm.

•   Changing the definition of business associate to specifically exclude Telecommunications Relay Services (TRS) and associated changes to expressly permit disclosures to TRS communications assistants to allow communication with persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability.


Although there are a number of proposed changes that would likely be favorable for providers, there are several that, if finalized, could create additional risks or burdens for providers. Those include:

•   Changes that would require revisions and updates to all NPPs.

•   Changes to shorten response times required for covered entities relating to requests by patients for access to their records. Although some state laws establish shorter periods, current HIPAA standards give covered entities 30 days to respond – the proposed regulations would reduce this period to 15 days.

•   Provisions to establish a process for individuals to direct that their PHI be shared in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.

•   Provisions to require covered entities to post estimated fee schedules on their websites relating to requests by an individual for access and disclosure to PHI.

If you have any questions or need further guidance regarding these new proposed regulations or existing standards, please contact a member of Hancock Daniel’s HIPAA/Privacy & Security team.

Click here for a full PDF of this advisory.

The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C. be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Print Friendly, PDF & Email