Today, the Medicare Rights Center submitted comments to the Health and Human Services Office of Civil Rights (OCR) in response to proposed changes to an important privacy rule. The rule, which clarifies and implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a vital protection against misuse or improper disclosure of private health information. 

HIPAA requires covered entities like health care providers to make health records available to patients and keep that information safe from casual disclosure, malicious exposure, and even hackers. Since its creation, HIPAA has been widely misunderstood and incorrectly applied, often improperly wielded to keep people from accessing their information rather than making it easier for patients and caregivers to exercise their rights.

The proposed rule would strengthen some patient protections, including shortening the amount of time they must wait to receive access to their records. Such access can improve care coordination, alleviate risk of duplicated or contraindicated treatment, and give patients the opportunity to correct errors. 

However, the proposed rule would weaken other consumer guardrails in ways that could lessen confidentiality and patient trust. In our comments, we urged OCR not only to reject such changes but to do more to educate both covered entities and consumers about how the rule works, what protections it does and does not offer, and how to keep information as safe as possible.

Importantly, HIPAA has gaps that no rule can fill. As consumers use more types of technology such as phone apps and wearables, their information becomes less private and more easily exploited for profit. We urge Congress to do more to protect the privacy and security of health information, including by extending HIPAA to cover more types of entities.

Read the proposed rule.

Read our comments.

Read more about your rights under HIPAA.

Read more about what entities are covered by HIPAA rules.