Skip to content

HHS Requests Public Input on Potential Changes to HIPAA Privacy and Security Rules


· 5 minute read


· 5 minute read

Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, 45 CFR Parts 160 and 164, 83 Fed. Reg. 64302 (Dec. 14, 2018)

Available at

HHS has issued a request for information (RFI) soliciting public recommendations for modifying existing guidance, or developing new guidance, under HIPAA’s privacy and security rules. The RFI covers the following topics:

  • Information Sharing. The RFI includes questions about various aspects of the privacy rule’s disclosure provisions, with the goal of promoting information sharing for treatment and care coordination. The questions focus on individuals’ right to access their PHI—including the timing for covered entities to respond to requests and whether the deadline should be shorter when records are maintained electronically. Other questions address adoption of mandatory disclosure rules when health care providers—and possibly other covered entities, such as health plans—request PHI for purposes of treatment, payment, or health care operations (TPO).
  • Parents and Caregivers. The RFI notes anecdotal evidence suggesting that some covered entities are reluctant to disclose PHI to relatives of individuals facing health crises for fear of violating HIPAA. The RFI specifically mentions the opioid crisis and serious mental illnesses, and asks what privacy rule changes might facilitate treatment or involvement of family members and caregivers in an individual’s care. The RFI also addresses parent-child relationships, including access for parents with respect to their children and for adult children with respect to their parents. The RFI asks whether HIPAA’s deference to state law to identify personal representatives should be reconsidered and, if so, how to reconcile any changes with state-law requirements.
  • Accounting of Disclosures. HIPAA’s privacy rule requires covered entities to provide individuals, upon request, with an accounting of certain disclosures of their PHI but excludes TPO disclosures from the accounting requirement. In 2011, in response to a HITECH Act requirement, HHS proposed regulations that would create a new right to an access report (see our Checkpoint article). The RFI announces HHS’s intent to withdraw the proposal (which was widely criticized) and solicits public input regarding other ways to implement the requirement—asking, for example, how often and why individuals request accountings, how often they follow up after receiving an accounting, why they would request TPO accountings, what data elements should be included in TPO accountings, and whether TPO accountings should be limited to electronic health records.
  • Notice of Privacy Practices. The RFI asks whether the requirements for Notices of Privacy Practices can be made less burdensome, whether the model notices (see our Checkpoint article) are being used, and whether there are better ways to inform individuals of their HIPAA rights.

A catch-all question requests other suggestions for removing regulatory obstacles and reducing regulatory burdens. Public comments are due by February 12, 2019.

EBIA Comment: While many of the RFI’s questions bear more directly on health care providers than health plans, all covered entities and business associates can support the idea of modifying HIPAA rules that impose substantial burdens without a corresponding benefit to individuals. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.C (“Disclosures to Family Members, Close Personal Friends, and Other Persons Identified by the Individual”), XXVI.G (“Personal Representatives, Minors, and Spouses”), XXVII.B (“Right to Access PHI in Designated Record Set”), XXVII.D (“Right to Obtain an Accounting of Disclosures”), and XXVII.G (“Right to Receive Notice of Privacy Practices”).

Contributing Editors: EBIA Staff.

More answers