Proposed HITECH Privacy Rule to be Released
The Department of Health and Human Services (HHS) plans to release in May a proposed rule strengthening existing privacy, security, and enforcement requirements for organizations handling patients’ health information, Healthcare IT News reports. The rule is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records (EHRs) and health information exchange (HIE) expands the number of organizations that may have access to personal data.
The proposed rule focuses on the liability of business associates of health care providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS said.
HHS published the May timeframe in its semiannual regulatory agenda in the April 26 Federal Register, but did not offer any other details.
Although the HITECH Act had called for the more robust protections to be effective in February, the proposed rule from HHS Office of Civil Rights (OCR), which oversees health information privacy, will identify the expected date of compliance and enforcement of the new requirements.
Other HITECH privacy and security provisions have already taken effect, including notification of a breach of personal health information to the individual, and in some cases to HHS, and stiffer fines for HIPAA privacy and security violations.