HHS Proposes New HIPAA Privacy Rule Regulations
The U.S. Department of Health and Human Services (HHS) announced July 8 proposed regulations under the Health Insurance Portability and Accountability Act (HIPAA) that are intended to further strengthen the privacy of personal health information (PHI).
“The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times,” said Georgina Verdugo, HHS Office for Civil Rights (OCR) director at HHS.
Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, the proposed regulations include broader individual rights and stronger protections when third parties handle individually identifiable health information.
The proposed rule seeks to strengthen and expand enforcement of the HIPAA Privacy, Security and Enforcement Rules by:
- expanding individuals’ rights to access their information and restrict certain disclosures of PHI to health plans;
- requiring business associates of HIPAA-covered entities to be under most of the same rules as covered entities;
- setting new limitations on the use and disclosure of PHI for marketing and fundraising; and
- prohibiting the sale of PHI without patient authorization.
To further quell the fears of consumers, HIPAA-covered entities are required to perform regular risk analysis under the Electronic Health Record Incentive Program final rule, released July 13. The OCR issues periodic guidance on the provisions in the HIPAA Security Rule to assist organizations in identifying and implementing safeguards to protect electronic PHI.
Providers and other stakeholders are encouraged to read the proposed rule and offer comments during the 60-day comment period, which officially opened July 14.
HHS says it is also looking more closely at entities that are not covered by HIPAA rules to better understand how they handle PHI and to determine whether additional privacy and security protections are needed for these entities.