OCR Proposed Changes to HIPAA Privacy Rule Part 2

Jan 1, 2021 9:28:00 AM |

Ryan Wallace

Social Share:



In January 2021, the Office of Civil Rights (OCR) published its proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens, and opened for public comment until March 22, 2021. As of March 9, 2021, this comment period has been extended to May 6, 2021.

In Part 1 of our blog, we highlighted the first 4 of the proposed eight (8) changes and how these may impact providers. Today, we’ll go over the remainder.

5. Right of Individuals to Access their PHI

OCR proposes a number of modifications to enhance individual engagement and improve individuals’ rights to access their health information, including the following:

First, shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) after receipt of the request, with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).

Second, empowering the individual to control sharing of PHI in an electronic health record (EHR) among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.

This ensures that treating doctors can get medical records to support treatment of the individual (the Privacy Rule already permits health care providers to disclose PHI for treatment, but they are not required to do so). For example, if an individual from California was involved in a car wreck in Virginia, and is being treated by a variety of specialists, orthopedists, neurologists, physical therapists in Virginia, that individual can send a request to one of the treating doctors in Virginia to obtain an electronic copy of the individual’s records from their primary care physician in California to assist the Virginia treating physicians in providing care to the individual.

Third, strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI. Part of this is clarifying that individuals may take photos on the spot in conjunction with a health encounter. For example, an individual looking at their own MRI while in the exam room could use their smartphone to take a photo and immediately send it to their spouse.

Fourth, clarifying the form and format required for responding to individuals’ requests for their PHI, including for electronic copies. For example, if an individual requests that a covered entity transmit PHI securely to the individual’s personal health application, and the covered entity has the technical capability to do so, this form and format is considered readily producible.

Fifth, reducing the identity verification burden on individuals exercising their access rights, without adversely affecting the security of PHI. For example, requiring an individual to obtain notarization on an access request would create an unreasonable barrier and would not be permitted under the proposed rule.

Sixth, requiring covered entities to post estimated fee schedules on their websites for right of access requests and for valid authorization disclosures and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests. This will help ensure that covered entities are charging reasonable cost-based fees for right of access requests, and for requests using an authorization, the individual knows what the costs will be in advance. For example, an individual who wants to request copies of their record can find out in advance what different copy formats (e.g., electronic, paper) will cost and, if they wish, take the estimated fees into consideration in requesting particular formats.

6. Notice of Privacy Practices (NPP)


OCR proposes eliminating the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s NPP, and the associated requirement to retain copies of such documentation for six years. This proposal will result in a significant reduction of administrative burden for covered health care providers. 

Eliminating this requirement will reduce paperwork and time spent away from the care of individuals. It will also eliminate confusion, as some individuals believe they are entering into a contract or waiving their rights under HIPAA, and improve access to care, as OCR has received complaints where individuals were denied treatment after declining to sign the acknowledgment.

For example, an individual receives their health care provider’s NPP when arriving at an appointment. The front office staff will not have to take the time to ask for a signature of receipt, explain why they need it (which the staff, as well as the individual, may not understand), and file and maintain the acknowledgment – or the documentation of their attempt to obtain a signed acknowledgment – for six years.

OCR also proposes modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.

The required header of the NPP would inform individuals that the notice provides information about how to access their health information, how to file a HIPAA complaint, and their right to receive a copy of the notice and to discuss its contents with a designated person.

Modifications would include specifying whether the designated contact person is available onsite and include a phone number and email address the individual can use to reach the designated person. Providing this information at the beginning of the NPP would improve individuals’ awareness of their Privacy Rule rights, what they can do if they suspect a violation of the Privacy Rule, and how to contact a designated person to ask questions.

Consistent with the proposed required header language, and to ensure that individuals are fully informed of their access rights, OCR also proposes modifying the required element of an NPP that addresses the access right to describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge, and the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party. For example, an individual who receives their health care provider’s NPP will immediately see how they may exercise their right to request records at a reasonable fee, to report suspected violations to OCR, and how to get answers from the provider about the use and disclosures of their PHI under HIPAA.

7. Telecommunications Relay Service (TRS)

Telecommunications Relay Service (TRS) facilitates telephone calls for individuals who are deaf, hard of hearing, deaf-blind, or have a speech disability. TRS facilitates such telephone communication by using a communications assistant who transliterates conversations (or, in some cases, interprets using ASL).

OCR proposes changes to expressly permit disclosures to TRS communications assistants, and to modify the definition of business associate to exclude TRS providers.

Currently, the HIPAA Privacy Rule permits covered entities to disclose PHI to TRS communications assistants to facilitate communication with individuals (patients or beneficiaries) who are deaf, hard of hearing, deaf-blind, or who have a speech disability, but does not address the situation where members of a covered entity’s or business associate’s workforce might be deaf, hard of hearing, deaf-blind, or have a speech disability and need TRS communications assistants to help them communicate.

For example, a hospital nurse who is deaf may use a TRS communications assistant to facilitate a call with a health plan representative about pre-authorization for a patient’s procedure, or to coordinate post-discharge care for an individual with another health care provider, without obtaining the individual’s authorization and without the hospital having a business associate agreement with the TRS provider.

8. Uniformed Services


Currently, a covered entity may use and disclose the PHI of Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, provided certain required conditions are met.

OCR proposes extending the permission to disclose PHI of Armed Forces personnel to that of the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps. These Services are considered part of the Uniformed Services but are not considered part of the Armed Forces.

For example, a covered entity could disclose to USPHS command authorities the results of a fitness-for-duty examination of an individual who is a member of USPHS Commissioned Corps, without the individual’s authorization, when needed to assure the proper execution of the USPHS mission. 


While we’re not sure when the Privacy Rule Proposed Changes will go into effect, the time to start preparing your organization is now.

Ensure that you’re following current patients’ right of access guidelines, and begin the process of updating your fee schedule. Then, ensure your Notice of Privacy Practices (NPP) are made available (including public posting), refresh yourself on its contents, and refresh your staff on its contents and importance.

Remember: these changes are all focused on empowering your patients, improving care, and reducing burdens. Keep these in mind as you evaluate your current HIPAA program.



Ryan Wallace is a Cyber Risk Manager at HORNE Cyber where he works to provide IT-focused assurance to clients both public and private.