Could HIPAA Changes Weaken Patient Privacy?

Proposed changes to the HIPAA Privacy Rule could weaken patient data privacy protections, say Rita Bowen and Zachary Perry of the Association of Health Information Outsourcing Services.

A notice of proposed rulemaking from the Department of Health and Human Services was published in the Federal Register in January (see: HHS Reveals Proposed Changes to HIPAA Privacy Rule). On Tuesday, HHS' Office for Civil Rights announced an extension of the deadline for the public to submit comments on the proposed changes to May 6. The changes will be finalized once comments have been reviewed.

HHS OCR says the proposed modifications aim to strengthen individuals’ rights to access their own electronic health information, including reducing the time from 30 days to 15 days for covered entities to fulfill patient requests for receiving copies of their health information.

HHS says other proposed changes aim to improve information sharing, facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises, and enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.

Weakened Privacy Protections?

Bowen and Perry, however, say that some of those proposed changes could weaken patient health information privacy protections.

"Some of the guardrails that currently exist under an authorization [to release information] seem to fall off because [the proposed rulemaking] seems to be advocating for more patient directives," Bowen says in a joint interview with Perry and Information Security Media Group.

For instance, modifications allowing healthcare entities to disclose certain health records without requiring a patient's authorization could potentially result in the unintended release of an individual's sensitive information to a third party.

"Those are guardrails that exist now that we would like to see continue for patients' protection of information," Bowen says.

Similar concerns surround potential changes involving patients' verbal requests for their health information.

"If someone is calling in on the phone, how do you know [the true identity] of the person claiming to ask for [their own] records?" Bowen asks.

"We don't want there to be a burden for people to get connected with their healthcare information," Perry says. "But there's also a commonsense approach to make sure we're not releasing information to the wrong party, or that we're not releasing more information than the patient would want released to a third party."

In the interview (see audio link below photo), Bowen and Perry also discuss:

• Potential challenges smaller healthcare entities could face in complying with the proposed HIPAA changes;
• Potential patient identity and authentication issues;
• Other possible privacy and security issues raised by the proposed changes.

Bowen is legislative and government affairs coordinator for the Association of Health Information Outsourcing Services. She also serves as vice president of privacy, compliance and health information management policy at MRO Corp., a health information management vendor.

Perry, president of AHIOS, also serves as the CEO of RRS Medical, a provider of secure health information exchange services. Previously, Perry spent 10 years in investment banking.