What the Proposed HIPAA Privacy Rule Changes Mean for Your Organization

The proposed HIPAA Privacy Rule changes aim to reduce friction in information sharing while strengthening individuals’ ability to get and direct copies of their records. For your organization, the shift centers on practical, day‑to‑day operations: faster responses to access requests, clearer pathways for Protected Health Information Disclosure, and streamlined collaboration with community partners.

Below, you’ll find what the proposal would change and how to translate it into Health Information Privacy Compliance steps you can start planning now.

Removing Barriers to Coordinated Care

What’s changing

The proposal clarifies that case management and care coordination count as “treatment” and “health care operations,” reducing hesitation to share PHI for these purposes. It also recognizes collaboration with social services and community-based organizations that support patients’ health-related needs (for example, housing, food, or transportation).

Operational impact

• Fewer delays in sharing information needed to coordinate services across providers and community partners.
• Clearer permission to exchange PHI for transitions of care, referrals, and value‑based activities.
• Better alignment between clinical workflows and community resource referrals.

Action steps

• Map current care‑coordination data flows and identify where the proposal would remove bottlenecks.
• Draft procedures that document “good‑faith” rationale for disclosures supporting coordination and case management.
• Train staff on when the minimum necessary standard applies versus when information may be shared for treatment.

Revising Notice of Privacy Practices

What’s changing

Notice of Privacy Practices Requirements would be updated to make patient rights easier to understand and exercise. The proposal would remove the need to obtain written acknowledgment of receipt while requiring clearer explanations of access options, formats, and fees.

Operational impact

• Shorter check‑in workflows without the acknowledgment step.
• Plain‑language explanations of how to request records, direct copies to third parties, and what fees may apply.
• Consistency across print, web, and portal versions of your Notice of Privacy Practices.

Action steps

• Prepare updated Notices and scripts that reflect the proposal’s emphasis on transparency.
• Ensure your contact channels (phone, email, portal) can actually fulfill what the Notice promises.
• Create easy‑to‑read summaries while keeping the full Notice available upon request.

Expanding PHI Disclosure Permissions

What’s changing

The proposal expands circumstances where PHI may be shared without authorization, facilitating Protected Health Information Disclosure to care partners, social services, and certain third parties when it supports treatment or case management. It emphasizes a “good‑faith” standard for frontline decisions.

Operational impact

• Faster collaboration with non‑traditional partners that address social drivers of health.
• Clearer path to send limited PHI needed for referrals, eligibility, or enrollment in supportive programs.
• More predictable decision‑making at the point of care, reducing over‑restriction of data.

Action steps

• Update decision trees and disclosure logs to document good‑faith determinations.
• Differentiate partners that require Business Associate Agreements from those permitted to receive PHI without becoming business associates.
• Implement role‑based access and minimum‑necessary controls for operational disclosures.

Addressing Health Emergencies

What’s changing

The proposal clarifies Health Emergency PHI Exceptions, including a shift from an “imminent” threat to a “serious and reasonably foreseeable” threat standard for certain disclosures. It also reinforces permissions to share PHI with first responders, public health authorities, and caregivers when necessary to lessen a serious threat.

Operational impact

• Timelier information sharing during crises, disasters, and behavioral health concerns.
• Less ambiguity for frontline staff deciding whether to disclose PHI to protect health or safety.
• Better coordination with emergency management and public health partners.

Action steps

• Revise emergency disclosure protocols and on‑call scripts to reflect the “reasonably foreseeable” standard.
• Conduct tabletop exercises with emergency departments, security, and public health liaisons.
• Document any emergency disclosures and the facts supporting your good‑faith belief.

Enhancing Individual Access Rights

What’s changing

The proposal strengthens the right of access by shortening HIPAA Access Request Timelines to 15 calendar days (with one 15‑day extension), expanding in‑person inspection rights (including note‑taking and personal device photos), and streamlining the ability to direct copies to a third party. It adds fee transparency and encourages electronic fulfillment.

Operational impact

• Greater demand for same‑day or near‑real‑time fulfillment via portals, APIs, or secure email.
• Need for standardized, posted fee schedules and individualized cost estimates upon request.
• More requests to transmit records directly to caregivers, legal representatives, or apps.

Action steps

• Stand up a rapid‑response intake and tracking process that reliably meets the 15‑day deadline.
• Publish fee schedules and provide clear explanations of allowable, cost‑based charges.
• Offer multiple delivery options and document preferred formats for Electronic Health Record Transmission.

Clarifying EHR and PHA Definitions

What’s changing

The proposal clarifies “electronic health record” (EHR) for HIPAA purposes and defines “personal health application” (PHA) as an app used by an individual to receive PHI at the individual’s direction. PHAs are generally not HIPAA‑regulated; instead, HIPAA obligations remain with covered entities and business associates transmitting data to them.

Operational impact

• More patient‑directed Electronic Health Record Transmission to consumer apps via APIs or other secure channels.
• Clearer boundaries for your organization versus an individual’s PHA responsibility.
• Greater need to authenticate requesters while avoiding over‑burdensome verification steps.

Action steps

• Document your supported formats, endpoints, and processes for patient‑directed transmissions.
• Provide plain‑language notices explaining that PHI sent to a PHA may not be covered by HIPAA.
• Strengthen identity verification that is reasonable, not obstructive, and aligned with the proposal.

Preparing Healthcare Organizations for Compliance

Readiness roadmap

• Governance: Assign accountable owners for access requests, disclosures, and Notice updates.
• Policies and procedures: Rewrite workflows for accelerated timelines, emergency disclosures, and coordination with community partners.
• Technology: Enable API‑based releases, secure email, and portal downloads to meet electronic delivery expectations.
• Training: Provide scenario‑based modules on good‑faith disclosures, Health Emergency PHI Exceptions, and respectful denial letters.
• Documentation: Post fee schedules, track turnaround metrics, and keep auditable logs of requests and disclosures.
• Vendors: Perform Business Associate Agreements Updates so BAs can meet access deadlines and support new data‑sharing operations.
• Risk management: Update risk analyses to cover new endpoints, consumer apps, and identity‑proofing methods.

Conclusion

These proposed changes would make it easier to share the right information with the right people while empowering individuals to access their records quickly. By modernizing Notices, clarifying when PHI can flow, and tightening access operations, you can improve patient experience and strengthen Health Information Privacy Compliance at the same time.

FAQs.

What are the key proposed changes to the HIPAA Privacy Rule?

The proposal focuses on seven areas: removing barriers to coordinated care, revising Notice of Privacy Practices Requirements, expanding Protected Health Information Disclosure permissions (including good‑faith uses), clarifying Health Emergency PHI Exceptions, enhancing access rights and fee transparency, defining EHR and personal health application boundaries to support Electronic Health Record Transmission, and preparing organizations—policies, training, technology, and Business Associate Agreements Updates—for practical compliance.

How do the changes affect individuals’ rights to access PHI?

Individuals would see faster responses under shorter HIPAA Access Request Timelines, broader in‑person inspection rights (including taking notes or photos), and simpler ways to direct copies to third parties or PHAs in their preferred electronic format. The proposal also requires clearer explanations of allowable fees and encourages electronic delivery to minimize delays.

What updates must healthcare organizations implement to comply?

Plan to refresh your Notice of Privacy Practices, redesign access‑request workflows to meet 15‑day deadlines, publish fee schedules, enable secure electronic delivery (portal, API, or email), update emergency disclosure protocols, review partner roles, and complete Business Associate Agreements Updates so vendors can support new sharing pathways and documentation requirements.