Understanding the Proposed Changes to HIPAA Guidelines for Telehealth

In December of 2020, the Department of Health and Human Services proposed major modifications to the HIPAA Privacy Rule. Here’s what you need to know about the changes and how they facilitate care coordination and value-based care.

Over two decades ago the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. HIPAA is a landmark piece of legislation that has helped patients better protect their private health information. HIPAA has been amended numerous times since it was enacted to include additions such as the Privacy Rule and the Enforcement Rule, and the Department of Health and Human Services (HHS) has recently issued a Notice of Proposed Rulemaking, proposing major revisions to the HIPAA Privacy Rule.

HIPAA revision overview

The proposed revisions aim to promote value-based care and remove regulations that get in the way of communication and coordination between healthcare providers and health plans — supporting patients and their engagement in their care and overall reducing regulatory burdens on the healthcare industry.

If implemented, these revisions would expand individuals' rights to access their own protected health information, encourage additional sharing for care coordination, help individuals with substance use disorders in certain instances, and revise the Notice of Privacy Practice requirements, among others.

ALL of these changes empower individuals and support access to care via telehealth.

What are some of the highlights of the proposed changes?

Expand individuals’ rights to access, including:

  • Covered entities, defined under HIPAA as a health plan, healthcare clearinghouse, or health care provider who electronically transmit health information in connection with transactions for which HHS has adopted standards, would have 15 calendar days to respond to an individual’s request for their protected health information with the opportunity for a 15-day extension. Currently, covered entities have 30 days to respond with the opportunity for a 30-day extension.

  • Covered entities would be required to post estimated fee schedules on their websites so individuals would be able to determine potential fees in advance.

  • Individuals can direct their PHI to be shared in an electronic health record among covered healthcare providers and health plans.

Modify the Notice of Privacy Practice requirement by:

  • Eliminating the requirement that covered entities obtain the individual’s written acknowledgement confirming receipt of the NPP.

  • Adding instructions for how individuals can exercise their rights with respect to their PHI.

Improve information sharing for care coordination and case management for individuals:

  • Covered entities would be allowed to disclose PHI to social service agencies, community-based organizations, home and community based service providers, and other similar organizations that provide health-related services.

  • Modify the definition of “health care operations” to include individual-level coordination and case management activities.

Enhance flexibilities for disclosures in an emergency or threatening circumstances, including:

  • A covered entity could disclose PHI in a situation to avert a threat to health or safety when a harm is “serious and reasonably foreseeable” - instead of the current stricter standard that requires a “serious and imminent” threat to health or safety.

  • Facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises by replacing current language that permits covered entities to make certain uses and disclosures of PHI based on their “exercise of professional judgement” based on their “good faith belief” that their use or disclosure is in the best interests of the individual.

Impact of HIPAA revisions on telehealth companies

These changes will ideally reduce the administrative burdens on HIPAA-covered healthcare providers and health plans while also continuing to protect individuals’ health information privacy interests.

If the proposed changes are implemented into law, covered entities will need to review and revise their policies and procedures to ensure they are in compliance.

You can read more about the Notice of Proposed Rulemaking here. We also recommend consulting with your in-house or outside counsel for more information on the proposed changes.



Did you know Wheel was co-founded by an expert in healthcare law? We take regulatory issues very seriously and provide our clients with virtual care compliance solutions that help untangle the federal and state-by-state telehealth delivery laws.

Contact us to learn more about launching, growing, or sustaining a compliant virtual care service and learn more about Wheel’s solution for virtual care companies.


Additional legal articles you may be interested in: