According to the agency, the changes to the Health Insurance Portability and Accountability Act would also enable greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises. The proposed rule would also boost flexibilities for disclosures in emergency or threatening circumstances, including the opioid crisis or COVID-19 public health emergency. HHS said it would cut administrative worked for HIPAA covered providers and health plans too.
"Our proposed changes to the HIPAA privacy rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long," HHS Secretary Alex Azar said in a statement.
Comments on the proposed rule are due in February.
"The Trump administration is empowering patients with greater access to their health information and is lifting unnecessary regulations weighing down the healthcare industry," OCR Director Roger Severino said in a statement.
President-elect Joe Biden takes office next month, making it unlikely the proposed rule would take effect without significant changes.
"These are very bipartisan and very common sense reforms … that have been a long time coming," HHS Deputy Secretary Eric Hargan said during a call with reporters. He hopes the Biden team sees the proposed rule as something "they can make part of their own legacy."
Some providers are cautiously optimistic about the proposed changes.
"The proposed rule addresses many of the HIPAA issues that have been identified over the years which have become barriers to care. However, it will take time to better understand all of the proposed rule's nuances and the impact it could have on patients and providers," said Ivy Baer, senior director and regulatory counsel of healthcare affairs at the Association of American Medical Colleges, in an email.
The proposed rule would add definitions for the terms "electronic health record" and "personal health application." It would also make several changes to individuals' right to access personal health information, like shortening covered entities' required response time from 30 to 15 days and giving patients more control over their health information.
"We think (the 30 days) is a relic of a pre-internet age that should be dispensed with," Severino said during a call with reporters.
In addition, covered entities would be able to use or disclose some patient health information if they think it's in the patient's best interest. The current rules allow providers and health plans to base those decisions on their "professional judgment."
Severino said, "family and caregivers are some of the best resources to help people get out of an opioid crisis. Yet some doctors are afraid to share information with loved ones for fear of violating HIPAA." He said the move would allow providers acting in good faith to share patient health information related to opioid use, even if they don't have training in substance abuse treatment. It gives cover to providers excluded from a rule approved by the Substance Abuse and Mental Health Services Administration this summer.
"Expanding the ability of covered entities to disclose (patient health information) to avert a threat to health or safety when a harm is 'serious and reasonably foreseeable,' instead of the current stricter standard which requires a 'serious and imminent' threat to health or safety," according to the rule.
Severino said the agency wants to change the standard because it doesn't want medical providers to "second guess themselves" when they know there's a threat to an individual or others, such as when someone is considering suicide. The suggested standard would make it easier for providers to share health information about a patient's suicidal ideation with police or others without running afoul of HIPPA because they wouldn't have to worry whether the threat was "imminent," according to Severino. It could also smooth care coordination for COVID-19 patients.
The Trump administration expects the proposed changes would significantly reduce administrative work for providers. Under the proposed rule, providers would no longer have to get patients to sign a notice of privacy practices. They would only have to give such information to patients.
Severino said the signature requirement is "a tremendous waste of time and effort that has caused mass confusion, and has not fulfilled the original, intended goal." He added that patients often think they're agreeing to sign over their rights rather than acknowledging they understand those rights. According to HHS, the full proposed rule would save $3.2 billion in administrative costs over five years.
"We are clarifying through this rule that providers must have a fee schedule posted and publicly available, so people know what it costs to get their own records," Severino said.
Congress passed HIPAA into law in 1996, so it largely predates most online and mobile services. It also excludes health information created or managed by patients, which has created barriers to digital health.
Patient advocates, providers, health plans, technologists and others have spent years calling for updates to healthcare privacy and security rules. But there hasn't been much progress because there's widespread disagreement about how to change them. A complete overhaul of HIPAA would require Congress to act, which seems unlikely for now.