Proposed changes to an individual (patient’s) right of access, part 2

Feb. 16, 2022 / By Kelly Long, BS, CPC, CPCO, CAPM

The intent for an individual’s right of access to their protected health information (PHI) is to allow the easing of some administrative requirements, the removal of certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that have not been optimal for coordination of care, and to reduce regulatory burden. In part two of my blog series, we will delve into disclosures and exceptions which are documented in detail in the Federal Register Volume 86. Part one of my blog series can be found here: “Proposed changes to an individual (patient’s) right of access.”


The Privacy Rule standards address the use and disclosure of an individuals’ health information. This health information must be properly protected while still allowing for the flow of health information needed to provide quality coordination of care. Although The Privacy Rule is intended to be flexible and comprehensive to cover the variety of disclosures yet there is always room for improvement and the proposed disclosure changes are the following:

  • Requires covered entities to provide access “as soon as practicable,” but no later than 15 days after receiving a patient request. Patient’s right to access and obtain copies of their PHI and the time frame for responding to those requests is currently 30 days.
  • Requires covered entities to allow patients to take notes, videos and photographs during an appointment at no cost to the patient.
  • Removes the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices.
  • Proposes exceptions to the minimum necessary standard for disclosures of PHI.
  • Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment and health care operations.
  • Encourages of information sharing for treatment and care coordination where covered entities would be permitted to disclose PHI to social services agencies, home and community-based service providers, community-based organizations and other third parties that provide health-related services for individual-level care coordination and case management.
  • Proposes changes to the privacy rule to make sharing PHI with other providers mandatory rather than permissible.
  • Proposes expansion of health care clearinghouses’ access to PHI.
  • Creates pathway for individuals to direct the sharing of PHI maintained in an electronic health record (EHR) among covered entities.
  • Relaxes PHI standards that address opioid use allowing providers under good faith to disclose PHI for the best interest of the individual. Regarding substance use and serious mental illness, the proposed expansion will allow covered entities to disclose PHI information when harm is serious and reasonably foreseeable instead of requiring there be a serious and imminent threat to health or safety.
  • Expands the Armed Forces permission to use or disclose PHI to all uniformed services.

Information blocking exceptions: The Office of the National Coordinator for Health Information Technology (ONC) published a final rule that implements the statutory definitions of the information blocking provision and finalizes the proposed eight reasonable and necessary activities (referred to as exceptions). These exceptions are considered reasonable and necessary activities that do not constitute information blocking. “Health care providers,” “health IT developers of certified health IT,” or “health information network or health information exchange” as defined in 45 CFR 171.102 are all subject to the information blocking regulations in 45 CFR part 171. For this blog, I will reference them as “providers.”

Health care providers will not be required to provide access, nor be penalized for doing so, if any of the following eight exceptions apply:

  • Preventing harm exception – Public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange or use of PHI.
  • Privacy exception – If the provider is permitted to provide access, exchange or use of PHI under a privacy law, then they should provide that access, exchange or use. However, a provider should not be required to use or disclose PHI in a way that is prohibited under state or federal privacy laws.
  • Security exception – Intended to cover all legitimate security practices by providers, but does not prescribe a maximum level of security or dictate a one-size-fits-all approach.
  • Infeasibility exception – Legitimate practical challenges may limit a provider’s ability to comply with requests for access, exchange or use of PHI.
  • Health IT performance exception – It is recognized that for health IT to perform properly and efficiently, the health IT must be maintained and in some instances improved, which may require that health IT be taken offline temporarily.
  • Content and manner exception – Clarity and flexibility given to providers concerning the required content of a provider’s response to a request to access, exchange or use PHI and the way the provider may fulfill the request. This exception supports innovation and competition by allowing providers to first attempt to reach and maintain market negotiated terms for the access, exchange and use of PHI.
  • Fees exception – Allows providers to charge fees related to the development of technologies and provision of services that enhance interoperability, while not protecting rent seeking, opportunistic fees and exclusionary practices that interfere with access, exchange or use of PHI.
  • Licensing exception – Allows providers to protect the value of their innovations and charge reasonable royalties to earn returns on the investments they have made to develop, maintain and update those innovations.

I hope this information proves beneficial and can offer you a clear and concise look into the HIPAA changes that are still anticipated in 2022, which will certainly impact us not only as health care workers but also as patients.

Kelly Long is a compliance and security program coordinator with 3M Health Information Systems.

How do you ensure coding accuracy and compliance?