OCR Proposed Changes to HIPAA Privacy Rule Part 1

Jan 1, 2021 9:30:00 AM |

Ryan Wallace

Social Share:


In January 2021, the Office of Civil Rights (OCR) published its proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens, and opened for public comment until March 22, 2021. As of March 9, 2021, this comment period has been extended to May 6, 2021.

The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

We’ve examined each of the proposed eight (8) changes and outlined how these may impact providers below. For Part 1 of our blog, we’ll go over the first 4.

Proposed Changes

The HIC-TCR outlines four main areas to leverage techniques, practices, and activities during a crisis. If you’re familiar with NIST’s Five Functions of the Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), these should resonate.

1. Disclosures of PHI in the Best Interests of Individuals Experiencing Emergencies or Health Crises, Including Serious Mental Illness and Substance Use Disorder Crises

OCR proposes to facilitate the disclosure of protected health information (PHI) needed to improve care for individuals experiencing certain health emergencies by modifying the standard for certain permitted disclosures from one based on a covered entity’s “professional judgment” to one based on its “good faith” belief that a disclosure would be in the best interests of the individuals.

Professional judgment has always been an unclear term, and has been taken by some to require someone licensed to practice and be trained to make appropriate decisions. This “good faith” approach will allow a provider and staff a means to explain how what they were doing was the correct approach in the best interest of patient care. Of course, no decisions are made in a vacuum, so having a clear decision-making process will allow a defensible position should those decisions be contested.

2. Disclosures to Prevent Harm or Lessen a Threat of Harm

 OCR proposes expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.

Like the first point, the terminology has always been unclear on what constitutes a “serious and imminent” threat. This is another useful change that allows for the ease of communication for patient care.

For example, a doctor who sees an elderly patient with COVID-19 could alert the patient’s nursing home of the potential exposure to other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19, without delay caused by the need to assess whether the threat is sufficiently “imminent” to permit the disclosure.

3. Care Coordination and Exception to the Minimum Necessary Standard

This proposes modifying the definition of “health care operations” to clarify that the term includes care coordination and case management for individuals. The current definition is sometimes interpreted to cover only population-based activities, with the result that some entities believe that health plans are not permitted to use and disclose PHI to coordinate care for individuals.

OCR also proposes adding an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for individuals.

4. Disclosures to Facilitate Care with Social and Community Services

This proposes expressly permitting covered entities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS, which are services supported by, among other payers, state Medicaid programs) providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination and case management with respect to an individual.

As we’ve seen with the opioid crisis (and with elderly individuals or individuals with disabilities who use home health services, community health, and related social assistance), sometimes the best thing for patient care is the ability to communicate among these programs.


As we’ve outlined above, these proposed changes really bring the focus back to patient care in the new post-COVID landscape.

In our upcoming blog (part 2), we’ll examine the remaining 4 of the 8 proposed changes.



Ryan Wallace is a Cyber Risk Manager at HORNE Cyber where he works to provide IT-focused assurance to clients both public and private.