What To Know About Proposed HIPAA Changes

Beth Plumptre
December 15, 2023

In 4 out of 5 office-based physicians nationwide, information detailing everything from a patient's name and date of birth, to medical history, and test results are readily available via electronic health records (EHRs). These records are the foundation of coordinated care, but their valuable and sensitive content makes privacy and safety core concerns of a trustworthy patient care system. 

The Health Insurance Portability and Accountability Act (HIPAA) was designed to establish standards and regulations for protecting patient data. While the current rules ensure that medical records receive necessary protection, there are new proposed HIPAA privacy rules in place set to enhance patient welfare.

What is the HIPAA Privacy Rule?

The Privacy Rule, formally recognized as the ‘Standards for Privacy of Individually Identifiable Health Information’, set up the nationwide standards for health information exchange. These standards are necessary to coordinate patient care, as health information typically cascades through clinical and administrative personnel, plus affiliated officials who ensure the smooth running of affairs in the healthcare industry. Under the Privacy Rule, these individuals are grouped into ‘Covered Entities’ and ‘Business Associates’. 

As Covered Entities, healthcare providers like doctors, clinics, and psychologists are mandated to use and disclose patient data to guarantee safety. This entity net spreads to health plans where health insurance companies, HMOs, plus corporate insurance structures must reflect the same standards. Also under this rule are health clearinghouses that process health information exchange between healthcare organizations.

On the other end are Business Associates (BA) of Covered Entities. These include health information technology companies that manage the storage, transmission, or processing of electronic health information (EHI), plus medical billing services, or even legal and accounting services. 

Under the Privacy Rule, patients have the right to request copies of their information, and call for corrections if there are discrepancies. Trust is central to clinical practice, with patients reporting higher satisfaction with treatment, beneficial health behaviors, fewer symptoms, plus higher life quality.

Focusing on regulations like the Privacy Rule directly impacts patient trust in the health system, and can influence treatment outcomes. Where organizations violate the HIPAA rules, patients have a right to the HHS Office for Civil Rights

Background on Changes to the HIPAA Privacy Rule

While HIPAA law has transformed privacy practices across the health domain, Covered Entities often have to weigh benefits against the demands. Under the current privacy rule, a covered healthcare provider must meet administrative requirements to develop and execute privacy policies, carry out security risk assessments, counsel patients on privacy risks, plus issue Notices of Privacy Practices that inform patients of how personal health information will be used or disclosed.

To determine the changes necessary to upgrade the impact of the Act, the Office for Civil Rights issued a Request for Information (RFI) in December 2018. The OCR sought comments from HIPAA-Covered Entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with easing the administrative burden, and the removal of specific provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care, the comment period closed on February 12, 2019. However, the changes made were minor, without catering to the major changes requested by stakeholders.

In 2021, the OCR again sought comments on proposed rule changes. Some of the aspects under consideration were patient rights to access and obtain copies of their protected health information and the time frame for responding to those requests (currently 30 days), easing of restrictions on disclosures of PHI without authorization, plus changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.

The OCR, taking these comments into account, will be publishing the Final Rule. However, these changes won’t become binding immediately. The effective date for the new HIPAA rules will be 60 days after publication, and healthcare organizations will have another 180 days before enforcement begins.

Proposed Changes to the HIPAA Privacy Rule

On April 12, 2023, the Office for Civil Rights issued a Notice of Proposed Rulemaking (NPRM) to reflect new HIPAA rules that strengthen reproductive health care. These new rules were proposed in response to the Supreme Court opinion in Dobbs V Jackson Women’s Health Organization, where Regulated Entities are now required to disclose PHI related to reproductive health to law enforcement under the Privacy Rule. 

Under this rule, patients have broader rights to protect their privacy in the use and disclosure of records on substance use disorder (SUD). This Proposed Rule seeks to preserve patient rights and interests by preventing a covered healthcare provider from disclosing health information when care is provided legally.

In addition to safeguarding reproductive health information, this rule also proposes to enhance patient access to their protected health information. Now, patients can adopt personal resources like a smartphone to capture personal medical records. 

This information is readily available in formats like ePHIs requested via secure, approved Application Programming Interfaces (APIs). Patients can then share the information directly with the relevant players involved in patient care.

This access will also come at an accelerated timeline, with a shortened frame of 15 days and an optional 15-day extension following PHI requests. In response to the administrative challenges of the current HIPAA Privacy Rule, the proposed rule has recalled the need for healthcare providers to document their attempts to procure the patient’s written acknowledgment of their Notice of Privacy Practices.


HIPAA Privacy Rule changes reflect the evolving attempts to center the patient in care delivery, and push the boundaries of efficiency in the health ecosystem.

While at the proposal stage, these new rules paint a compelling picture of interoperability and patient care in the years to come.

Stay up-to-date with news from Metriport.

View Blog

Get the latest updates and blog posts from the Metriport team.

Metriport icon