HIPAA and CMS Proposed Rule Changes


On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) both released proposed rules to better enable a patient’s ability to control access to and movement of their health data.

HIPAA Proposed Rule

The first rule, from OCR, reopens the Health Insurance Portability & Accountability Act (HIPAA) privacy and security requirements. HIPAA privacy and security policies have not changed significantly since the breach notification final rule was published in 2013. Key provisions within the proposed rule include, but are not limited to:

  • Shortening the time providers have to respond to patient records requests from 30 days to 15 days
  • A proposed fee structure based on the type of access request
  • Proposals to create a set of provisions for the right to direct copies of protected health information (PHI) to a third party, better aligning the Privacy Rule with the HITECH Act
  • Easing restrictions of data sharing in times of crisis
  • Provisions allowing patients to view and capture PHI in their record

CMS Proposed Rule

The second rule from CMS further implements application programming interface (API) requirements for payers and providers as part of the administration’s efforts to encourage interoperability and price transparency. Key provisions include:

  • Requirements for CMS-regulated payers to implement the Fast Healthcare Interoperability Resources (FHIR)-based Patient Access APIs by Jan. 1, 2023
  • Requirements for payers to build and maintain a Provider Access API for payer-to-provider data sharing of claims and encounter data, a subset of the U.S. Core Data for Interoperability (USCDI), and pending and active prior authorization decisions by Jan. 1, 2023
  • Requirements for payers to implement documentation and prior authorization APIs
  • Payer-to-payer data exchange requirements
  • A proposal for HHS and the Office of the National Coordinator for Health Information Technology (ONC) to adopt an API implementation specification.

The HIPAA rule is 356 pages and the CMS rule is 347 pages. Comments are due for the HIPAA rule 60 days after the rule is published in the Federal Register, a date that is not yet known, and the CMS rule comments were due Jan. 4, 2021. Professional organizations including the American Academy of Pediatrics will be submitting comments.

Additional Resources

HIPAA Press Release     |     CMS Fact Sheet     |     CMS Press Release