HIPAA Privacy Rule, hipaa rules

Proposed Changes for HIPAA Privacy Rule Receive Pushback


May 24, 2021 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Department of Health and Human Services (HHS) proposed changes to the HIPAA Privacy Rule in a Notice of Proposed Rulemaking released in January 2021, leaving it open to public comment until May 6, 2021. One of the proposed changes is set to modify the right of access standard, requiring providers to release a patient’s health records to personal health applications upon the patient’s request. Healthcare groups have objected to this change.

Why Did the HHS Propose HIPAA Privacy Rule Change?

In its notice, the HHS provided the reasoning behind the proposed change, “More and more individuals use personal health applications to access and manage their personal health information, and in this proposed rule, the Department proposes to revise the right of access to clarify that it includes the right of an individual to access electronic copies of the individual’s Protected Health Information (PHI) and that one of the mechanisms by which an access request can be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health application used by the individual.”

Should the change be approved, there will also be a change to the HIPAA Rules to define personal health application (PHA) as ‘‘an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application Developer.’’ Read the full Notice here.

Why Do Healthcare Groups Oppose This Modification?

Although requiring providers to release a patient’s information to a PHA is convenient for the patient, it poses a risk to the privacy and security of the information, which healthcare providers and advocacy organizations have pointed out. Under HIPAA, PHAs are not considered either covered entities or business associates and are not regulated by HIPAA. Under the proposed changes to the HIPAA Privacy Rule, PHAs would still be unregulated.

By requiring providers to share a patient’s protected health information with unregulated PHAs, there would be nothing stopping them from sharing information with third parties, risking patient privacy. Additionally, the unregulated PHAs may lack sufficient security controls, leaving them vulnerable to hacking incidents. Lastly, the PHAs would not have to sign a business associate agreement (BAA). Without a BAA, PHAs could sell patient PHI for marketing or advertising purposes. The American Hospital Association has stated, “Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records.”

Will the Proposed HIPAA Privacy Rule Changes be Enacted?

Currently, the HHS is in the process of reviewing the 1,200 comments that were submitted by the public. Once the comments have been reviewed, the HHS will decide whether to finalize, either part or entirety, the proposed rule. They may also choose to reopen the proposed changes to furthering commenting, should they deem it necessary.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...