How Proposed Changes to HIPAA Could Impact Your Organization


If medical records are a part of your daily life, so too is HIPAA, and the ever-changing regulations around patient data, privacy and security. Significant potential changes to HIPAA have been proposed through an NPRM, with a final ruling expected at the end of this month. So what does this HIPAA news mean for healthcare organizations, and how could the proposed changes impact day-to-day operations and handling of PHI?

What is an NPRM?
NPRM stands for Notice of Proposed Rulemaking, and it applies to proposed changes to existing rules and regulations. An NPRM can come from any federal agency and relate to any federal regulation. In this blog, we’re focused on the NPRM filed in January of 2021 by HHS, titled the ‘Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6,446.’ This NPRM has been delayed previously, as the original finalization was expected in October 2022.


The NPRM in question is nearly 400 pages long, so if you need something to put yourself to sleep tonight, feel free to go ahead and dive in. You can read the entire document here. 

But if you’re not looking for a sleep aid, we’ve taken the liberty of reading, re-reading and dissecting the HIPAA NPRM so you don’t have to. The bottom line? Most of it focuses on definitions, scope and deep dives into regulatory language. However, there are several key points that could drastically influence how medical records are handled in relation to third parties, potentially shifting costs and burdens to healthcare organizations and patients while putting PHI at risk.

What are the key proposed changes/implications that you should know?

  1. A significant policy shift could open the floodgates for third parties to obtain patient data without adhering to HIPAA protections.
  1. This shift could potentially allow certain commercial requestors of medical records to apply access rights that are intended for patients, altering provider obligations, costs and privacy protections.
  1. A proposed change would require oral requests to be accepted for medical records.
  1. New definitions in NPRM create confusion with existing regulatory definitions.

We will break down each of these proposed changes below in more detail.

1. No HIPAA Protections for PHI Transmitted to Third Parties.

The focus of this NPRM is access. And that’s an excellent goal. Patients have a right to access their data as they see fit, and access generally contributes to improved patient outcomes. However, in the name of access, is the NPRM opening the floodgates on protected health information (PHI)?

Patients don’t usually think about how third-party apps interact with their private health information, especially when these apps often operate in the background once a user has downloaded them. For example, how many of us wear a tech-enabled watch that can check our heart rate and then report back on that information? Did I authorize that smart watch to distribute my data? Can the app developer sell my data? Who knows! There was most likely a link to some very small, lengthy fine print about how my health data could be used that no one ever reads. In fact, the President of the Center for Democracy & Technology recently calculated that it would take consumers 244 hours each year to read all the terms and conditions for their apps and subscriptions.

It’s a common misconception among patients (and even many in the healthcare industry!) that HIPAA protections extend to third parties such as digital health apps, when that is not the case. While the NPRM requires an organization to send a patient’s PHI to the health app of that patient’s choice, it does not address the fact that these apps are not covered by HIPAA, and that’s exactly the problem. The NPRM as proposed today provides no protection or enforcement mechanism against the growing number of third-party digital health apps to operate outside of HIPAA protections.

2. Shifting Cost Structure for Medical Records Management.

Protecting private health information comes with a significant (but necessary) cost. Developing, managing and following a clearly defined and compliant process for releasing medical records is complex. And the technology built to navigate that complexity, and to ensure privacy remains intact are often expensive to develop and maintain, especially amidst growing cybersecurity threats and ever-evolving artificial intelligence.

Despite these costs, patients need access to their records, and at HealthMark we believe the cost of obtaining records should not be passed on to the patient. However, federal law does allow organizations to charge a small fee to patients for their records, commonly known as the “patient rate”. Limiting this discounted patient rate to patients and their care team is necessary to keep costs negligible.

The NPRM as currently proposed would allow third parties to potentially exploit the patient rate for purposes having nothing to do with a patient’s healthcare. What exactly does that mean? Insurance companies, lawyers and other non-patient requestor fees could be capped at the negligible patient rate, forcing organizations to find another way to offset the high cost of medical records release management. Think about it like this. You’re invited to lunch by a colleague, who says she will pay. Your lunch is free. But someone has to pay the bill. The cost of the lunch doesn’t go away, it just shifts to someone else. If third party requestors no longer have to bear the burden of cost for their commercial business activities, it will raise the cost for patients and providers who need records for care-based activities. Someone has to pay for lunch and as proposed, the NPRM would leave patients and providers with the check.


The other major concern here is the inherent risk of the commercialization of patient data. As we discussed in the first point above, a number of commercial entities are not covered by HIPAA, leaving patient data vulnerable for ad targeting or worse. The news has been replete with examples of commercialization lately, including this recent testimony before Congress that highlighted telehealth companies selling patient prescription data to pharmaceutical companies for advertisements. And once data has been commercialized, there’s no putting that data genie back into its bottle.

3. Oral Records Requests & Authorizations.

In general, healthcare (and life) operates with an understanding that for something to be legally binding, it must be in writing. Whether it’s an authorization for your kid’s school field trip or an email that you’d like to make an offer on a house – paperwork and paper trails (including the digital varieties) are the glue that holds legal documentation together.

Yet this NPRM allows patients to request and authorize release of information verbally, requiring only that the details are clear, conspicuous and specific. Um, what? In addition to the murky definition of “clear, conspicuous and specific,” the allowance of a simple oral authorization goes against everything we understand as legal in business operations.

But the bigger concern is that this allowance for verbal requests would make it easier for people to impersonate patients and requesters, possibly to misappropriate medical records or patient identities. Members of AHIOS, including HealthMark, routinely experience and defend against these impersonation attempts by bad actors today, and if verbal requests are explicitly allowed as proposed in the NPRM, this problem will only increase.

4. Inconsistent Definitions & Terms.

With the patchwork of regulations related to healthcare data, privacy and security comes a patchwork of key terms, definitions and assumptions. We’ve focused on major changes in the NPRM for this blog, but this point highlights a missed opportunity for HHS to provide much-needed clarity for regulatory vernacular.

The NPRM uses different language than other established regulations to describe the same thing; for example, this NPRM sets a standard of no “unreasonable measures” to prevent a patient’s access to PHI which addresses the same issue as the Information Blocking Rule in the Cures Act. The objective here is undeniably positive – as a healthcare community, we should be actively promoting interoperability and improving (secure) access to patient data. Because the Information Blocking Rule has already established more detailed guidance around interoperability, the NPRM (and any other related regulations, for that matter!) should explicitly apply that same definition for clarity and consistency.


In summary, improving patient access is getting a lot of attention from HHS in this NPRM. But there are concerns that as currently proposed, the NPRM could threaten patient privacy protections and place additional administrative burdens onto healthcare providers, as mentioned in this Health IT Leadership whitepaper. The balance between access and privacy will always be a challenge, and if there was an easy answer, we would have figured it out long ago. At the time of publication, we don’t know what will be in the final rule. What we do know is that we have to keep talking about this balance between privacy and access, and working towards a better solution.  

The good news is that you’ve already taken the initiative to stay educated around HIPAA news, just by reading this blog. Go ahead and give yourself a pat on the back.

So now what? This is all pending final adoption, so staying up to speed is key.

Want to be the first to know what the final adoption looks like? Sign up to get the final update delivered right to your inbox.

And if you’ve thought about outsourcing your record release processes, consider these seven reasons to shift the administrative burden of release of information to an expert vendor.

Where do you want to start?

Tell us a little bit about yourself, and we’ll match you with the right expert to help you optimize your patient information.