Quick Facts

  • Intent to strengthen an individual’s right under HIPAA to access their own medical records.
  • Implements a new “a good faith belief” standard on the covered entity for uses and disclosures that are in the best interest of the individual.
  • Creates an exception to the minimum necessary rule for disclosures to or requests by a health plan or provider for individual-level care coordination or case management activities that constitute treatment or healthcare operations.
  • Modifies the existing HIPAA Notice of Privacy Practices.


On December 10, 2020, the Department of Health and Human Services (HHS) released a pre-publication version of a proposed rule (the “proposed rule”) that would modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to better support care coordination and case management. The proposed rule builds upon public input solicited by HHS in 2018 as part of its “Regulatory Sprint to Coordinated Care.” The goal of the sprint was to reduce regulatory barriers that impede the delivery of coordinated, value-based healthcare and to “promote care coordination and facilitate a nationwide transformation to value-based healthcare.”


The 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (RFI) solicited public input on 53 questions asking whether and how HHS could modify the HIPAA Rules to support care coordination and case management, and promote value-based care, while preserving the privacy and security of Protected Health Information (PHI). HHS received over 1,300 comments in response to the RFI, and the proposed rule represents its effort to address those comments and make proposed modifications to address the issues and concerns raised, including the individual right of access to PHI and the impact of use and disclosure requirements on care coordination activities/substance use disorder and mental illness.

Individual Access Rights

The proposed rule includes several provisions aimed at strengthening an individual’s right under HIPAA to access their own medical records, including reducing the identity verification burden prior to permitting access to records; allowing individuals to direct a covered entity to send their records to another covered entity; clarifying when electronic PHI (ePHI) must be provided to an individual free of charge; requiring covered entities to post fees for producing records on their websites; and strengthening an individual’s right to inspect their records in person. Importantly, the proposed rule would also shorten the response time for covered entities to respond to an individual’s request for access to PHI from the current 30 days to 15 calendar days (with the ability to request one 15-day extension).

Finally, the proposed rule would incorporate the findings of Ciox v. Azar to limit the scope of the right to direct the transmission of copies of PHI to a third party to ePHI in an electronic health record and would place modified fee limitations for this access right into the regulatory text.

Reducing Identity Verification Burden

To address complaints HHS has received about covered entities imposing burdensome verification requirements on individuals seeking to access their own PHI (e.g., requiring in-person access or notarized written requests), the proposed rule would modify the Privacy Rule to specifically prohibit overly burdensome verification measures. Specifically, the regulatory text would make it clear that unreasonable measures include those that “require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable.” Examples of unreasonable measures given include requiring notarization of requests and requiring individuals to provide proof of identity in person when remote verification is more convenient and practicable.

Promoting Information Disclosure for Care Coordination and Case Management

The proposed rule also addresses concerns that health plans are not able to effectively use PHI for purposes of individual-level care coordination and case management activities because of fear that these activities do not fall under the “treatment, payment, and healthcare operations” exception. It would therefore modify the definition of “healthcare operations” to clarify that the term includes not only population-based care coordination/case management, but individual-level care coordination and case management activities as well. For this purpose, the proposed rule would also create an express exception to the minimum necessary standard under HIPAA for disclosures to or requests by a health plan or provider for individual-level care coordination or case management activities that constitute treatment or healthcare operations.

The proposed rule would also make it clear that covered entities are able to disclose PHI to social service agencies, community-based organizations, HCBS providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination and case management with respect to an individual.

Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness

HHS notes that covered entities are reluctant to disclose PHI to family members and other caretakers of individuals facing health crises, including mental illness and substance use disorder because they are afraid of violating the Privacy Rule. This impedes the ability to assist in treatment/recovery and better coordinate care for individuals experiencing these issues and health-related emergencies. The proposed rule would amend the Privacy Rule to replace the existing “exercise of professional judgment” standard for such disclosures with “a good faith belief” standard by the covered entity that uses and disclosures of PHI are in the best interest of the individual. This new standard would apply to verifying identities and to disclosures made to parents/guardians who are not the individual’s personal representatives, emergency contacts, and in emergencies/when the individual is incapacitated. It would also replace the existing “to lessen a serious or imminent threat” standard with a “serious and reasonably foreseeable threat” standard for making a disclosure to lessen a threat.

Changes to the Notice of Privacy Practices

HHS proposes to modify the required content of the Notice of Privacy Practices (NPP) to:

  1. Specify to individuals that the NPP provides information about how to access their information; how to file a complaint; and the right to receive a copy of the notice and discuss its contents with a designated person. (The language would need to specify whether the designated contact person is available onsite and must include a phone number and email address.)
  2. describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge.
  3. Inform individuals of alternatives for obtaining or requesting to send copies of PHI to a third party when the individuals seek to send PHI to a third party in a manner that does not fall within the access right.
Permitting Disclosures by Telecommunication Relay Services (TRS)

HHS proposes in 45 CFR 164.512(m) to expressly permit covered entities (and their business associates, acting on the covered entities’ behalf) to disclose PHI to TRS communications assistants to conduct covered functions. This permission would cover all disclosures to TRS communications assistants, including communications necessary for care coordination and case management, relating to any covered functions performed by or on behalf of covered entities. HHS also proposes to add a new subsection (v) to 45 CFR 160.103(4) to expressly exclude TRS providers from the definition of business associate.

Armed Forces

To address concerns that the Privacy Rule limits the ability of the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps to facilitate healthcare coordination and case management for Commissioned Corps personnel, which is important for ensuring that personnel meet medical readiness standards, the proposed rule would expand the Armed Forces permission to use or disclose PHI to all uniformed services, including the USPHS and NOAA Commissioned Corps.


Comments on the proposed rule will be accepted for sixty (60) days following publication of the rule in the Federal Register, which was on January 21, 2021. The effective date of the regulations would be 60 days after publication of the final rule, followed by a 180-day compliance period. Employers should watch for the final rules and pay attention to any required compliance steps. While many of the proposed changes would primarily impact covered entities such as providers and health insurers, there are certainly potential impacts (e.g., changes to response timeframes for individual access requests and changes to the content of the NPP) that would also impact employer-sponsored group health plans.


EPIC Employee Benefits Compliance Services

For further information on this or any other topics, please contact your EPIC consulting team.

Learn About Our Employee Benefits Compliance Services

EPIC offers this material for general information only. EPIC does not intend this material to be, nor may any person receiving this information construe or rely on this material as, tax or legal advice. The matters addressed in this document and any related discussions or correspondence should be reviewed and discussed with legal counsel prior to acting or relying on these materials.



Sign up for our Compliance Matters Newsletter

You’ll receive our monthly newsletter, as well as special compliance alerts and invitations to our compliance webinars