HIPAA Regulation - What Should You Know

Published on : 02 Sep 2021

HIPAA Regulations

The Healthcare Insurance Portability and Accountability Act (HIPAA) is very popular and critical legislation in the healthcare industry.  The main objective behind the enforcement of HIPAA Regulation was to improve the efficiency and effectiveness of the healthcare practices, systems, and processes in the industry.

However, it has been several years since its enforcement, the industry has not witnessed any major updates in the regulation.  The last update seen in the HIPAA Rules was the introduction of the HIPAA Omnibus Rule in 2013. Thereafter we have not seen any significant changes to the HIPAA Regulation.

According to the Department of Health and Human Services (HHS), the agency that created and enforced HIPAA regulations came up with findings that highlighted that the change in technology, healthcare techniques, and practices has resulted in the HIPAA regulation now seeming obsolete. 

The Office for Civil Rights (OCR) had issued a Notice of Proposed Rulemaking in December 2020 that outlined several changes to the HIPAA Privacy Rule.  So, with this, there are several changes expected to be introduced in the Regulation, this year in 2021. Individuals were given a timeframe of 60 days (due on May 6th, 2021) to comment on the proposed modifications contained in a Notice of Proposed Rulemaking (NPRM). Based on the proposed changes and comments received the HHS will consider finalizing the proposed changes. So, let us take a closer look at understanding the proposed changes to regulation and its implication in the industry. 

Proposed Changes to the HIPAA Privacy Rule

The proposed changes to the HIPAA Privacy Rule aim to enhance the efficiency and effectiveness of value-based health care and address issues of coordinated care and case management communications among covered entities like the hospitals, physicians, insurers, etc.  The proposed changes in the new HIPAA regulations aim at giving the covered entities flexibility in disclosing PHI data for providing better healthcare to patients. So, here are the key proposed changes expected to be introduced in the HIPAA regulation.  

1. Expanded Right to Access

Right to Access is a major proposed policy change that is set out to protect the rights of patients who wish to have access to copies of their medical records quickly without being overcharged. This change addresses the major criticism of the HIPAA legislation that is said to be complex and expensive for patients to access their personal medical records. So, addressing this issue here are some proposed changes introduced on this line-

  • Right to Access- The patients should have the right to access their personal health information quickly without being charged for it. So, with this, healthcare providers cannot restrict patients from accessing, storing, or documenting their health information.
    • Prohibited Unreasonable Access Requirements- The proposal states that healthcare facilities should not make unreasonable requests for patient’s access to information. These requests include- 
      • Requiring a patient to notarize forms
      • Requiring a patient to fill out forms only on paper
      • Requiring a patient to be present at the facility when filling out forms
      • Requiring a patient to only fill out forms through the facility’s online portal
  • Shorten the Response Time – The proposed change suggests that the patient who requests their personal health information receive it immediately. So, what used to take 30 calendar days to respond to the request would now be shortened to 15 days.
  • Fee for the PHI Record –The proposed change suggests reducing fees that providers may charge for accessing records. It is a way of reducing the barriers to patients accessing their personal health information. The new proposal suggests that patients should bear a reasonable fee for accessing the record. The fee charged may be for the usage of a printer or excess copies or the cost of supplies that the provider incurs to provide the patient with the information requested. The proposal also requires providers to specify the estimated cost of providing an individual a copy of their PHI. It is also proposed that healthcare providers must not charge a fee for providing electronic PHI (ePHI) to individuals. 
  • Reduced Identity Verification Burdens- The proposed changes require the Healthcare Providers and Health Plans to submit individual access requests to the other healthcare provider, to receive back the requested electronic copies of the individual’s PHI in an electronic health record (EHR). Healthcare Providers and Health Plans will have to respond to certain records requests when directed by individuals under the right of access.

2. Transfer of PHI Data

Several changes pertaining to the transfer of PHI data have been proposed for amendments. This includes-

  • Individuals will be permitted to request their PHI be transferred to a personal health application.
  • Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
  • Proposed pathway for individuals to direct the sharing of PHI in an EHR format to third-party covered healthcare providers and health plans. 
  • The proposed access to medical records from a previous healthcare provider with patient approval of the sharing of the information in a signed HIPAA form clearly stating what the transfer of information is going to be.

 3. PHI Disclosure for Ancillary Healthcare Services and Management

  • Ancillary healthcare services– The Proposed change states that the covered entities may disclose PHI to entities that provide ancillary healthcare services to enhance the support for individuals.  This provision supports the interoperability rule by removing barriers to obtaining individual authorization and consent as per the current Privacy Rule.
  • Healthcare Management– The proposed change expands the HIPAA rules of sharing patient information without explicit consent from the patient to the case management professionals who may need access to some patient information to help with the medical case. The covered entities are required to disclose PHI if it is in the best interests of the patient as a “good faith belief” as opposed to the former standard of an “exercise of professional judgment”. 
  • Healthcare EmergencyThe Proposed change allows disclosure of PHI for the healthcare and treatment of individuals experiencing substance abuse disorders, serious mental health issues, and other health emergencies.  Moreover, the covered entities would be permitted to disclose PHI if there is a serious health safety issue and there is a reasonable threat to life.

4.Changes to Notice of Privacy Practice

The Proposed change eliminates the requirement that a covered entity must obtain an individual’s signature or acknowledgment of Notice of Privacy Practice. The Proposed change also requires the NPP to include information about how individuals can access their information, file a HIPAA complaint, and contact a designated representative and exercise any of their rights.

5.Defined New Terms

The proposed new HIPAA Regulation adds new definitions for “Electronic Health Record” (EHR) and “Personal Health Application,” (“PHA”). This is to clearly define the rights of individuals and eventually direct a covered entity to transmit and access PHI. 


While there is an acknowledgment of the proposed changes, yet there are concerns with the complexity that it adds and the issues related to entities requiring to navigate through multiple overlapping and potentially conflicting regulations. However, it is important to understand that the proposed changes promote and support value-based care and removes barriers to coordinated healthcare.

Overall, it helps reduce the burden on the healthcare institutes and removes various obstacles to patients’ right to access their health information. With these proposed changes to enhance the efficiency of healthcare, there is a lot to look forward to this year with regards to the HIPAA Regulation-related development and whether or not the new HIPAA regulation gets enforced. If you have any doubts or need assistance with HIPAA Compliance, we at VISTA InfoSec can help your team navigate through the complex compliance process. We have been a part of this industry for nearly two decades since 2004 and have all the expertise and industry knowledge to guide you in the right direction. For more details about HIPAA Regulation, you can check our blogs or any queries regarding the regulation, you can drop us a mail at info[@]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.