Privacy and Security Redux

A sixty day comment period starts tommorrow on newly proposed regulations under HIPAA that would:

• expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, 
• extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, 
• establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and 
• prohibit the sale of protected health information without patient authorization. 

In addition, the proposed rule is designed to strengthen and expand Office of Civil Rights' ability to enforce HIPAA’s Privacy and Security provisions. These rules are mandated by HITECH.

“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said ONC's David Blumenthal. “Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount.”

HHS also launched today a privacy website at http://www.hhs.gov/healthprivacy/index.html.

“HHS strongly believes that an individual’s personal information is to be kept private and confidential and used appropriately by the right people, for the right reasons,” said Joy Pritts, recently appointed Chief Privacy Officer. “Without such assurances, an individual may be hesitant to share relevant health information.”

HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.

PHRs will be covered under HIPAA, if they act on behalf of a covered entity.  The rule does not apply to PHR vendors that provide services on behalf of the patient instead of the covered entity (e.g., Google, Microsoft).