The Department of Health and Human Services Thursday released a proposal to modify the HIPAA privacy, security, and enforcement rules. It also calls for greater HIPAA compliance for business associates (BAs) of covered entities and for strengthening the HIPAA enforcement rule.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed modifications include:
- Provisions that extend the applicability of certain privacy and security rules requirements to Bas
- New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
- Prohibition of the sale of PHI
- Expansion of individuals' rights to access their information and to obtain restrictions on certain disclosures PHI
- Provisions that strengthen and expand HIPAA's enforcement rule
The proposed rule is required by the HITECH Act, signed into law by President Barack Obama, February 17, 2009 and part of the $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.
HHS was late delivering this proposed rule. Per the HITECH, OCR was supposed to deliver the following by February 18:
- Guidance on BA contracts
- Modifications of the privacy rule provisions regarding right to request restrictions, minimum necessary, patient access to electronically held PHI and marketing and fundraising
- Clarifying that certain entities are Bas
- Issuing guidance on the privacy rule requirements for de-identification
- Report to Congress on HIPAA Privacy and Security Compliance
- Study and report to Congress on privacy and security requirements for entities that are not HIPAA covered entities or business associates
- Study the HIPAA Privacy Rule's definition of "psychotherapy notes" with regard to including certain test data and mental health evaluations
Also, by June 18, OCR was to deliver regulations to modify the HIPAA Privacy Rule's accounting of disclosures provisions.
On May 3rd, however, OCR published a notice in the Federal Register asking for help crafting a proposed rule on accounting of disclosures on electronic health records (EHRs) per HITECH.
HITECH expands an individual's right to request accounts on disclosures of his/her health record. In the Federal Register, OCR writes that the comments from providers and patients will "help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."
Editor's note: Access the proposed rules through the OCR privacy website.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.