Skip to main content

Digesting the HIPAA Proposed Rule

 |  By dnicastro@hcpro.com  
   July 21, 2010

The proposed rule that modifies the HIPAA privacy, security, and enforcement rules has been published in the Federal Register for about a week.
And while it may not be time to flip your HIPAA compliance program upside down—it is, after all, a proposed rule that could go final anytime after the last comment is sealed by HHS Sept. 13—you should take note of several items from the rule.
The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will be co-hosting the HCPro, Inc. audio conference, "HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations," Tuesday, August 31:

  • HIPAA and HITECH applies to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I've spoken to many BAs who still believe that they only have to have the BA agreement in place, and I've had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much more clear that the CEs' responsibilities must go beyond just having a BA agreement.”
  • New definition of “standard.” Herold calls replacing “individually identifiable health information” with “protected health information” in the definition of “standard” a strong idea. “This has always been a point of confusion for many/most CEs, and then last year for BAs.”
  • Subcontractors now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They provide many of the breaches.” It’s also a good thing to see the following entities included under HITECH, such as:
    • Patient Safety Organizations (PSOs)
    • Health Information Organizations (HIO)
    • E-Prescribing Gateways
    • Other persons that facilitate data transmission, as well as vendors of personal health records
  • Updated definition of "Electronic Media." The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”
  • No protection of PHI for those who have been deceased for more than 50 years. According to the proposed rule, "We believe this will reduce the burden on both covered entities and on those seeking the protected health information of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons."
  • Required changes to the Notice of Privacy Practices (NPP). This will require changes throughout all the CEs, Herold says. “The trick will be how to get the wording to a point where the average patient/consumer can understand what it is saying,” she says. “This has been a problem in the past.”
    The proposed amendments to the NPP would include:
    • Language about the use and disclosures of PHI that would require an authorization under the proposed rule
    • Changes to language regarding the CE contacting an individual to provide appointment; contacting the individual for fundraising; or to disclose information to the health plan
  • HHS statements on BA compliance. Herold says organizations should note the following passage from HHS in the proposed rule: "In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden. For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards."
  • Asking CEs and BAs to step up compliance teaching efforts. The proposed rule “more clearly and explicitly establishes that CEs and BAs must take a more active role in ensuring their associated BAs are in compliance with HIPAA/HITECH,” Herold says, “and that they will be held liable for doing so.”

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.