July 8, 2010
The Department of Health and Human Services (HHS) issued a notice of proposed rulemaking today to modify the Privacy, Security, and Enforcement Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.
The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.
“This proposed rule strengthens the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in healthcare today,” said Georgina Verdugo, director of the HHS Office for Civil Rights (OCR). These HIPAA Rules are administered and enforced by OCR.
Once it is published in the Federal Register, the notice of proposed rulemaking may be viewed and commented on for 60 days at www.regulations.gov.
In addition to issuing the notice of proposed rulemaking, OCR also updated its breach notification webpage. Breaches of unsecured protected health information affecting 500 or more individuals that are reported to the Secretary are now posted in a new, more accessible format that allows users to search and sort the reported breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.
Visit the OCR website for more information about this proposed rule and the updated breach notification webpage: www.hhs.gov/ocr/privacy/