HHS proposes modifications to the HIPAA privacy rule

The US Department of Health and Human Services’ (HHS) Office for Civil RIghts (OCR) has announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy rule to remove regulatory barriers to coordinated care and to reduce burdens on the healthcare industry. The proposed changes to the HIPAA privacy rule include strengthening individuals’ rights to access their protected health information (PHI) and improving information sharing between healthcare providers and health plans. The proposed changes include the following:

  • strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
  • reducing the identity verification burden on individuals exercising their access rights; 
  • creating a pathway for individuals to direct the sharing of PHI in an electronic health record (EHR) among covered healthcare providers and health plans, by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive the requested electronic copies of the individual’s PHI in an EHR; 
  • replacing the privacy standard that permits covered healthcare providers and health plans to make uses and disclosures of PHI based on professional judgement with a standard permitting, which means uses and disclosures of PHI by covered health organisations are permitted as long as it is based on good faith belief that such actions are in the best interests of the individual. 


The OCR seeks public comments from all stakeholders including patients and their families, health plans, health care providers, and consumer advocates. Comments are due 60 days after the publication of proposed modifications.