Renovating the HIPAA Privacy Rule – Modifications and Comments

by | Jun 1, 2021 | Advocacy

The HIPAA Privacy Rule has been around a long time – almost 20 years.  Since 2003, when the United States Department of Health & Human Services (HHS) created it, it hasn’t been updated it at all.  However, it needs renovation!  Thankfully, changes are coming.  In 2018, HHS took the first visible step toward Privacy Rule modifications.  At that time, they asked the public for input on various concerns.  Then, earlier this year, HHS posted the actual proposed changes.

In this article, we look at the proposed modifications from the viewpoint of caregivers.  

Why HIPAA Privacy Rule modifications are needed

Caregivers are valuable and need support

Caregivers highly benefit their loved ones with mental health conditions.  In 2020, a report from HHS’s Substance Abuse and Mental Health Services Administration even specifically noted “… the vital role families and nontraditional partners outside the mental health system can play in improving mental health outcomes…” (Section II, p. 16). And, caregiving is not uncommon.  In a 2016 presentation, the National Alliance for Mental Illness declared that 8.4 million Americans care for an adult with an emotional or mental health issue.  Also, they presented research showing that about a third of those people care for a loved one for over 10 years.  These family members need to know how to help their loved ones recover and thrive.  And, HIPAA needs to support their mission.


HIPAA Privacy Rule problems

HIPAA provides ways for doctors to share information with caregivers.  However, health care systems often needlessly prevent the flow of patient information to families. Sometimes, this happens because providers misunderstand the HIPAA Privacy Rule.  Other times, they interpret it too strictly.  Often, that happens when providers are overly concerned about being fined for violating HIPAA.


Solutions through modifications

To combat this problem, the HIPAA Privacy Rule must become clearer in stating when Protected Health Information (PHI) may be shared.  Changes should lead to a decrease in providers’ fears of violations and fines.  Going further, the Privacy Rule should encourage health care providers to make caregivers an integral part of their loved one’s recovery team.  That should be the case whenever it is in the best interest of the patient.

With the right changes, the intent of HIPAA – to protect the patient – can become reality.  Thankfully, HHS’s proposed modifications offer the opportunity to comment on these issues.

Proposed HIPAA Privacy Rule modifications that are important to caregivers

On January 21, 2021, HHS Office of Civil Rights (OCR) released its Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement.  They posted this official Notice of Public Rule Making (NPRM) in the Federal Register.  There, they also told people how to submit comments, which were due May 2021. At that time, HHS OCR also posted a fact sheet that summarized the key points in the NPRM.  Three of the eight main points relate to sharing information with families/caregive

1. Disclosures of PHI in the Best Interests of Individuals Experiencing Emergencies or Health Crises, Including Serious Mental Illness and Substance Use Disorder Crises

Currently, health care providers are permitted to share patients’ PHI, or Protected Health Information, in certain crisis or emergency situations.  However, they can only do this if their “professional judgment” says it would be in the best interest of the patient.  In some cases, that term “professional judgment” can get in the way of involving families.  For instance, a nurse or front desk attendant may not feel that they are qualified to make a “professional judgment” about the best interests of a patient.  So, HHS suggests that the words “professional judgment” be replaced with “good-faith belief.”  This should increase the comfort level of health care providers, especially staff, in sharing appropriate PHI with loving friends and family members. This section of the NPRM also asks the public whether HIPAA should widen the circumstances under which a health care provider can share PHI.  Specifically, the case is when providers believe it would be in the patient’s best interest to involve the family, but the patient does not agree.  

2. Disclosures to Prevent Harm or Lessen a Threat of Harm

HHS’s proposal about “threat of harm” would also make it easier for doctors to share information without patient consent.  In this instance, the current HIPAA language says that harm must be “serious and imminent” before health care providers may disclose PHI without consent.  The problem is that doctors cannot read minds.  There is no way for them to know for certain that a threat is imminent.  Therefore, they sometimes hold back information. As a result, HHS suggests changing “serious and imminent” to “serious and reasonably foreseeable.”  With this change, HHS believes that health care providers will feel more comfortable reporting a threat of harm.  That’s because they should have less fear of being accused of violating HIPAA and being fined.  And, that should lead to more communication with families.  

3. Disclosures to Facilitate Care with Social and Community Services

This proposal would allow doctors and other providers to share a patient’s PHI with more agencies than under the current HIPAA rule.  Specifically noted are “social services agencies, community-based organizations, home- and community-based service … providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination.”  To us, that sounds like it should include families caring for their loved one with a mental health condition.  

HIPAA for Caregivers’ comments for the United States Department of Health & Human Services (HHS)

In late April 2021, HIPAA for Caregivers submitted comments to HHS.  The comments address the points in the NPRL that are directly relevant to caregivers.  Also, you can download a pdf of all our comments for HHS on our Advocacy page.

We completely support the straightforward proposals that make it easier for providers to share information in times of crisis and threat.  And, we agreed that doctors should be allowed to go further when consent has not been given.  They should be able to disclose information to caregivers when they believe, in good faith, that the disclosure is in the patient’s best interests.

In addition, we think the proposal related to social and community services has great potential.  That point opened a door to argue that the Privacy Rule should clearly note caregivers as part of the coordinated care team.  Supporting that idea, the NPRM includes definitions of care coordination from several respected organizations.  For instance, the NPRM quotes the Centers for Medicare & Medicaid Services (CMS) and the National Quality Forum (NQF).  Importantly, the CMS and NQF definitions include families as part of care coordination.  Because HHS itself recognizes families as connected to care coordination, we ask that OCR also clearly state the same thing in the HIPAA Privacy Rule.  If adopted, such a change should make it much easier for caregivers to obtain treatment and payment information from doctors.

How to find public comments about HHS’s proposed HIPAA Privacy Rule modifications

Soon, HHS OCR will publicly post the comments they received in response to the NPRL.  You can find the comments by doing the following:


    • Enter hhs-ocr-0945-aa00 in the search bar.  This is the docket ID for the NPRM for the HIPAA Privacy Rule modifications.
    • Even though hhs-ocr-0945-aa0 is the docket ID, the web page opens to the Documents tab.  That’s because most users are seeking documents.  The three tabs available, horizontally, are Docket, Documents, and Comments.
    • A box on the left, just below “Document ID,” is labeled “Comments Received.”  The public posted 1,436.
    • As HHS posts comments, the number posted appears in a small circle on the Browse Comments tab.  As of June 1, 2021, only one comment was listed.  And, it had actually been withdrawn.  As a result, the message that remains is, “There are no documents available to view or download.
    • Individuals or organizations who posted comments received an email confirmation from HHS that includes their Comment Tracking Number.  They can see whether or not their comment has been posted by entering that number in the search bar in the Federal Register home page.

    Timeline for HHS Decisions about HIPAA Privacy Rule modifications

    A March 2021 article in the HIPAA Journal suggests that the final rule changes may come either by the end of 2021 or early in 2022.