随着历年的交替, 2022年可能会迎来近十年来HIPAA隐私规则最重大的变化. 这些变化将紧随几年的信息收集而来, 建议, 公众评论, 该计划于2018年12月启动,当时美国.S. 美国卫生与公众服务部(HHS)民权办公室发布了一份美高美集团4688HIPAA规则的信息请求. 随后,HHS于2020年12月和2021年1月发布并公布了拟议规则制定通知(NPRM), 分别. 随后是NPRM的公众意见征询期,于2021年5月6日结束.1

The proposed changes to the HIPAA 隐私 Rule are targeted at helping fulfill HHS’ 注册ulatory Sprint to Coordinated Care by breaking down barriers to care coordination, 信息共享, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.2

建议规则的一些重要条款包括引入和修改关键定义, 加强患者获取信息的权利, 支持信息共享和护理协调, 允许更广泛的信息披露, 以及修改与《梅高美集团4858》(NPP)相关的政策和信息。.


作为拟议规则的一部分, 卫生与公众服务部寻求增加两个关键术语的定义——电子健康记录(EHR)和个人健康申请(PHA)。. 这两个术语目前都没有在HIPAA隐私规则中定义, 尽管HITECH法案确实包含了电子病历的定义.

拟议规则旨在扩大和澄清HITECH的定义, 将EHR定义为“创建的个人健康相关信息的电子记录”, 聚集, 管理, 经授权的卫生保健临床医生和工作人员咨询.”3

同样的, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, 哪些可以从多个来源得出, 只要这些信息是被管理的, 共享, 由个人控制或主要为个人服务的 . . .”4

The addition of both of these definitions — EHR and PHA — to the 隐私 Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).5

拟议规则还解决了有关术语“医疗保健业务”的混淆.“现行的隐私规则允许使用和披露PHI进行治疗, 付款, 以及未经患者授权的医疗保健操作. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, 由医疗保健提供者执行的病例管理活动(治疗)与. 健康计划(医疗保健业务). 然而, 医疗保健业务的定义特别提到了基于人群的活动,而不是个人层面的护理. 因此, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.6


A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA 隐私 Rule reflect this goal and aim to enhance patients’ right of access through various provisions, 包括:

  • 加强患者亲自检查自身PHI的权利. 拟议的规则将允许患者做笔记并使用个人资源(例如.g., 智能手机)来捕捉他们的PHI图像, 只要不构成不可接受的安全风险. 然而,提供者是  需要让患者将个人设备连接到他们的信息系统.
  • 压缩当前时间轴以响应PHI请求. 供应商目前有30天的时间来回应患者对PHI的要求, 可选择30天延期. 拟议规则寻求将时间框架缩短至15天,并可选择延长15天.
  • 明确患者按照要求的形式和格式获得PHI的权利, 如果它易于生产. 根据建议规则, “易于生产”的PHI副本将包括通过安全方式请求的ePHI, 基于标准的应用程序编程接口, 使用个人选择的应用程序. 供应商还将被要求以适用的州和其他法律要求的任何形式和格式提供PHI的副本.
  • 简化身份验证要求. 尽管在响应PHI请求时,验证个人身份是至关重要的一步, 不合理或繁重的身份验证要求可能对患者的访问权造成障碍. 拟议规则将禁止适用实体实施不合理的核查措施, 如要求公证签名或出示本人身份证明(当另一人可信时), 有更方便的方法).
  • 提供有关获得PHI相关费用的更多信息. 拟议规则规定了PHI必须免费提供的情况(例如.g., (在现场查看期间)和与响应将PHI发送给第三方的请求相关的修正费用. 供应商还需要(a)在其网站上公布估计的费用表, (b)提供个性化的费用估算, (c)为已完成的请求提供分项帐单.7


Certain aspects of the current HIPAA 隐私 Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, 对患者的协调护理. 拟议规则旨在解决这一问题,并打破信息共享的一些障碍.

如前所述, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to a不her healthcare provider.8 The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “披露r”) and receive an electronic copy of the PHI.

拟议的修改还修改了与“最低必要标准”有关的规则.“根据现行的隐私规则, 受保实体必须使用, 披露, 或者只要求完成手头任务所需的最小PHI值. 建议规则对使用的最低必要标准作了例外, 披露, 或来自覆盖实体的护理协调和病例管理请求.

The Proposed Rule also permits covered entities to 披露 PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). 这类第三方的例子包括社会服务机构, 社区组织, 以家庭和社区为基础的服务提供者, 以及其他类似的组织. 卫生与公众服务部指出,在某些情况下,这些组织可能不受HIPAA的约束.


除了支持促进信息共享和协调护理的措施之外, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. 这种情况和情况的例子包括物质使用障碍, 严重精神疾病, 使无能力, 以及与健康相关的紧急情况.

要做到这一点, 卫生与公众服务部建议用“诚信信念”标准取代“专业判断”标准, 在个人利益最大化的情况下,哪些允许使用和披露个人信息. 卫生与公众服务部还指出,专业判断标准的行使意味着有执照的医疗保健提供者的披露, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity's HIPAA policies and 程序 and who are acting within the scope of their authority.”9

《梅高美集团4858》的五个方面将根据这一建议进行修订. 这些领域涉及向父母、监护人或其他行为者披露信息 代替父母; (2) for facility directories; (3) when the individual is present; (4) when the individual is 不 present due to 使无能力 or an emergency; and (5) in relation to verification requirements.10

卫生与公众服务部还建议增加向家庭披露PHI的灵活性, 朋友, 和照顾者为了避免伤害. 当前的隐私规则允许受保实体在健康和安全威胁“严重且迫在眉睫”时披露PHI.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, 拟议规则将允许在对健康和安全的威胁“严重且合理可预见”时披露PHI.拟议的修改将包括“合理可预见”的定义,以帮助指导有关披露的决策.


帮助消除当前HIPAA隐私规则的行政负担, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. 然而, 以确保患者能够理解并根据NPP中的信息采取行动, 他们有权与医疗保健提供者指定的人讨论NPP.

进一步, HHS proposes modifying the header of the NPP to specify that the 不ice provides individuals with information about how to access their information, 如何提交HIPAA投诉, 以及他们收到通知副本的权利. NPP页眉还需要包括指定联系人的电话号码和电子邮件地址.11


尽管本文中详细介绍的更改仍然是建议的,而不是最终的, 医疗保健提供者(和其他受保实体)应该了解它们及其潜在影响. 这些变化将要求供应商更新他们的政策, 程序, NPP, 授权及披露材料, 和合同.12 进一步, 这些修改的重要性和广度将需要对员工进行HIPAA隐私规则的再培训.

建议的修改将在最终规则公布后60天生效, 供应商将在生效日期后180天内遵守规定. 在不到一年的时间里实施这些改革, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.


  • 确保您当前的HIPAA隐私政策和程序, 安全, 和违约通知规则是完整和最新的. 这样做可以更直接地实现所提议的更改,并有助于避免混淆.
  • Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
  • 了解任何与PHI发布或披露相关的州法律. 卫生与公众服务部指出,《美高美集团4688》并不取代其他更能保护个人隐私的法律.
  • 确保您访问PHI的身份验证过程不会对患者施加不合理的措施, 如需要公证授权或其他繁琐的要求.
  • Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with the 30-day timeframe to identify potential obstacles for future compliance.
  • 查看当前的表单, 材料, 和合同 affected by the 隐私 Rule to consider what changes will need to be made and the best way to approach those changes. 还要考虑你需要对你的网站信息进行哪些更新.
  • 开始教育工作人员美高美集团4688拟议规则的变化, 并将它们包括在美高美集团4688新流程和工作流程的计划工作和讨论中.13


有关HIPAA隐私规则的所有拟议更改的更完整信息和详细信息, 看到 建议修改HIPAA隐私规则支持, 消除障碍, 协调护理和个人参与 于2021年1月21日在《美高美集团4688》上公布.


