On July 8, 2010, the Department of Health and Human Services (HHS) held an
audio conference to announce a new notice of proposed rulemaking (NPRM) issued
pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and the Health Information Technology for Economic and Clinical Health Act (the
HITECH Act). The NPRM proposes modifications to the Standards for Privacy of
Individually Identifiable Health Information (Privacy Rule), Security Standards
for the Protection of Electronic Protected Health Information (Security Rule),
and the rules pertaining to Compliance and Investigations, Imposition of Civil
Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under
According to HHS, the purpose of the modifications is to implement recent
statutory amendments under the HITECH Act in order to strengthen the privacy and
security protection of health information. HHS states that its goal, as mandated
by the HITECH Act, is to “improve the nation’s health care system by enabling
health information to follow the patient wherever and whenever it is needed.” At
the same time, HHS recognizes that the benefits of health information technology
can only be fully realized if patients and providers are confident that
electronic health information is maintained in a private and secure manner. The
NPRM represents HHS’ effort to reconcile and achieve both of these objectives.
HITECH Act Provisions Addressed by the NPRM
The NPRM addresses the following:
- Extending the Privacy and Security Rules’
requirements to business associates of covered entities.
- Establishing new limitations on the use and disclosure of protected
health information for marketing and fundraising purposes.
- Prohibiting the sale of protected health information without a valid
authorization unless a valid exception applies.
- Expanding individuals’ rights to access their information and obtain
restrictions on certain disclosures of protected health information to
- Adopting provisions designed to strengthen and expand HIPAA’s
The rulemaking does not address:
- The breach notification provisions in sections 13402 of the HITECH Act
Breach Notification Rule) or the modified civil money penalty
structure in section 13410(d) of the HITECH Act (access
which have been the subject of previous rulemakings.
- The accounting for disclosures requirement in section 13405 of the
HITECH Act, which is tied to the adoption of a standard under the HITECH Act
at subtitle A of title XIII of American Reinvestment and Recovery Act (ARRA).
- The penalty distribution methodology requirement in section 13410(c) of
the HITECH Act, which is to be based on recommendations developed at a later
date by the Government Accountability Office.
The NPRM will be published in the Federal Register on Wednesday, July 14,
2010. The publication of the NPRM will begin a 60-day comment period. The NPRM
posted on the website of the Office of the Federal Register for public
access prior to publication.
New Online HIPAA Resources
HHS also announced the launch of two websites during the audio conference.
The first website is designed to assist the public in finding privacy resources
throughout HHS. HHS has stated that the purpose of the website is to give the
public confidence in health information technology by showcasing HHS’s efforts
to protect health information.
second website is a redesigned version of the breach notification
website. Section 13402(e)(4) of the HITECH Act directs the Secretary of HHS to
use this website to publicly post breaches of unsecured protected health
information affecting 500 or more individuals. The redesigned website enables
searches of such breaches and includes brief summaries of the breach cases that
the Office for Civil Rights (OCR) has investigated and closed, as well as the
names of covered entities who have reported breaches of unsecured protected
health information to the Secretary.
Other HHS Privacy and Security Initiatives
Additionally, over the past few months, the Office of the National
Coordinator for Health Information Technology (ONC) and the OCR have instituted
a number of other initiatives including:
- The appointment of a new Chief Privacy Officer (CPO). The new CPO
position is designed to provide critical advice to the National Coordinator
in developing and implementing ONC’s privacy and security programs. Joy
Pritts, J.D., has been appointed to the CPO position. According to HHS, Ms.
Pritts will play a key role in helping ONC design new policies to address
privacy and security issues in every phase of health IT development and
- The creation of Regional Extension Centers to educate providers about
necessary privacy and security measures.
- The creation of State Health Information Exchange Cooperative Agreements
and ONC grants to fund the development of “Beacon Communities” The Beacon
Community Cooperative Agreement Program will provide funding to communities
to build and strengthen their health information technology infrastructure
and exchange capabilities to demonstrate the benefits of healthcare
information technology programs.
For more information about these changes, or for guidance to help ensure
compliance, please contact us.