Long-awaited proposed modifications to the HIPAA privacy rule intend to support and empower coordinated care and patient engagement. The proposed changes set forth by the United States Department of Health and Human Services (HHS) are part of their Regulatory Sprint to Coordinated Care, which analyzes federal regulations that interfere with efforts to improve care coordination for patients. Overall, the proposed changes to the HIPAA Privacy rule center around strengthening individual’s access to their own health information, facilitating greater family and caregiver involvement, and giving individuals and their families access to their PHI during emergencies or health crises. They also reduce administrative burdens on HIPAA-covered providers and health plans. Though the proposed changes are pending (they are still open for public comment,) we talked with healthcare lawyer Ayesha Mehdi, JD, MHSA about what they may mean for healthcare practices.

View our conversation with Ayesha here:


What is driving the proposed HIPAA changes?

Mehdi: In our digital age, there is a movement toward making patient care and patient access to health records as seamless as possible. These changes reflect that, as well as the movement from volume-based fee-for-service care to value-based, patient-centered care. As a healthcare attorney, I look forward to these changes and so do my clients. They will reduce administrative and compliance burdens and make it easier to take care of patients.

What are the proposed changes?

There are quite a few proposed changes. (Linked Here) The key items to note are:

a)    The changes would facilitate greater family involvement in care for individuals dealing with health crises or emergencies

b)    Patients would have more access to their PHI. They would be permitted to view their PHI in person, take notes, and view and capture images of their records.

c)    HIPAA’s covered entities will now need to be able to give individuals access to their PHI in 15 days instead of 30 days.

d)    The changes would reduce the identity verification burden standing between patients and their PHI.

e)    Individuals will be able to share PHI stored in an EHR with other healthcare providers and health plans.

f)      The changes would specify cases where electronic PHI must be provided to individuals at no charge.

g)    HIPAA-covered entities would be required post estimated fee schedules on their websites for both PHI access and disclosures with an individual’s valid authorization as well as provide individualized estimates of fees for an individual’s request for copies of PHI.

h)    The modifications would no longer require individuals to provide written acknowledgement of a provider’s notice of privacy practices.

In my opinion, these proposed changes are a long time coming and will make it easier to coordinate care in emergencies and for families to access crucial records.

How should providers prepare for the changes? 

I recommend that practices stay aware of the changes and discuss them with their legal resources and compliance experts. I suggest reviewing the compliance of your EHR and any other places where you store PHI. It will be important that all patient data is stored in an EHR to allow seamless access for third parties. It will also be crucial to create a compliant process to ensure you can provide individuals their PHI within 15 days and that you have a clear fee schedule associated with accessing records posted on your website.

What do you think the impact of the changes will be? 

If enacted, the changes will allow covered entities to disclose PHI when they believe it is the best interest of patients. This will be very crucial in health crises like the opioid epidemic and COVID-19. The changes will empower both providers and patients to access the data the need to enable seamless, high quality care.

HIPAA has been around for 25 years and it has been some time since the last update. The world has changed and patient needs have changed, it’s time that the rule changed with it.


About Ayesha Mehdi, JD, MHSA

Mehdi is Partner at Spencer Fane. She works closely with physicians, other health care professionals, and other related businesses. Currently, she is the Vice Chair of the American Bar Association Health Law Section’s Fraud and Compliance interest group and an active American Health Law Association Member, which selected her to its Leadership Development Program in 2019. Mehdi serves as outside counsel for her clients and helps them reach goals related to physician employment, recruitment, mergers and acquisitions, and joint ventures. She also provides solutions for dealing with professional board complaints, reimbursement issues, and corporate compliance. Mehdi counsels clients on fraud and abuse, health information technology (HIT) and compliance, including the Stark II physician self-referral law, the Medicare/Medicaid anti-kickback statute, corporate practice and fee-splitting restrictions; anti-trust; health information privacy and security (HIPAA and HITECH Act); and health care reimbursement. Learn more here.