HIPAA Changes Could Be Coming Soon

You can weigh in on proposed rules that could increase costs and threaten patient privacy.

Zack Perry

CEO of RRS Medical

and president of AHIOS

(Association of Health Information

Outsourcing Services)

New rules on the sharing of protected health information have been proposed by the Office for Civil Rights of the Department of Health and Human Services.

You have until May 6 to act on the proposed rule changes.

While well-intended, these changes could open the door to privacy abuse and added administrative costs to healthcare providers. Use the resources on this page to better understand how these rules could affect your organization.

A Q&A with Zack Perry on Proposed HIPAA Rule Changes

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking with changes to the Health Insurance Portability and Accountability Act (HIPAA). OCR is seeking feedback by May 6.

Q: What is at stake?

A: We think the fundamental security and privacy of patient data are at risk under the proposed rules. Patients want their healthcare information to stay private. Healthcare provider organizations want to keep patient data secure. These new rules create opportunities for the wrong people to get access to protected health information (PHI).


Q: What concerns you the most?

A: Under the proposed OCR rules, healthcare providers would have to respond to verbal requests from people or organizations that may or may not be who they say they are. Also, third parties who do not provide care to, or represent that patient, will have the ability to ask for PHI.


Q: Do the rules create other data threats?

A: Yes. The proposed rules allow third parties to request an electronic interface between electronic health records (EHR) and third-party applications. This could lead to large-scale data breaches, not to mention added IT time and cost for the healthcare provider.


Q: Is the change from a 30-day to a 15-day response period a good idea?

A: I think it is well-intended to want providers to respond to PHI requests in a timely manner. In many cases, however, a 15-day response may not be realistic. This is particularly true for smaller providers who don’t have the staff or resources to meet this accelerated timeframe.


Q: Are there inconsistencies between the new rules and current HIPAA rules?

A: The proposed rules do not bring the interoperability standard up to those created in the new Cures Act. This creates confusion around transferring ePHI between electronic systems. There are also inconsistencies in the payment rate that flow from inconsistent definitions.