Proposed Changes to the HIPAA Privacy Rule


Is Your Healthcare Organization Ready for the Proposed Changes to the HIPAA Privacy Rule?

In January 2021, the OCR published a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Privacy Rule. One proposed change is a recommendation to strengthen an individual’s right to access their health information. 

Among other proposed updates to the Individual Right of Access, this proposed modification will adjust the Covered Entities response timeliness to an individual’s medical record request from 30 days to 15 calendar days, with the possibility of one 15 calendar-day extensions. 

This is a significant change for many Covered Entities as we are continuing to see an increased focus from the U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on Patient Right of Access. 

The OCR announced this week three additional settlements with Covered Entities bringing the total cases to 41, specific to Patient Right of Access, in an effort to increase compliance. The primary complaint from individuals is a lack of timeliness in receiving records. As evidenced by continuing investigations, numerous Covered Entities are not providing access within the current 30-day requirement.

The three most recent enforcement actions range from $25,000 to $80,000 fine, and in each case, the Covered Entity has implemented a Corrective Action Plan. 

We encourage health care providers to familiarize themselves with the proposed changes and begin preparing workflows and policy updates in order to be compliant with the current HIPAA requirements and proposed changes.

Learn more about the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s patient right of access provision here:

Kinsey Tickell

Kinsey Tickell Kinsey Tickell, CPCO, HCISPP, joined Edafio Technology Partners in 2018 to support client operations in healthcare delivery and HIPAA policy improvement. Kinsey brings 13 years of healthcare experience, including leading and training healthcare operations teams and consulting on value-based programs and HIPAA policy. While working alongside cybersecurity professionals, Kinsey developed a special passion for the field and obtained her Healthcare Information Security and Privacy Practitioner certification. She began her focus on working with clients on HIPAA Privacy and Security awareness and compliance. Her role at Edafio includes running and consulting on security awareness programs, policy development, risk assessments, and risk management plans. Kinsey earned a bachelor’s degree in Business Management from the University of Phoenix and a master’s degree in Human Services in 2017 from Liberty University. She is also a Certified Professional Compliance Officer and volunteers with a local organization, Second Chance Ranch, which supports local children in foster care.