HHS Announces Notice of Proposed Rulemaking Modifying HIPAA Privacy, Security and Enforcement Rules under the HITECH Act

July 12, 2010

On July 8, 2010, the Department of Health and Human Services (HHS) held an audio conference to announce a new notice of proposed rulemaking (NPRM) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The NPRM proposes modifications to the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), Security Standards for the Protection of Electronic Protected Health Information (Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

According to HHS, the purpose of the modifications is to implement recent statutory amendments under the HITECH Act in order to strengthen the privacy and security protection of health information. HHS states that its goal, as mandated by the HITECH Act, is to “improve the nation’s health care system by enabling health information to follow the patient wherever and whenever it is needed.” At the same time, HHS recognizes that the benefits of health information technology can only be fully realized if patients and providers are confident that electronic health information is maintained in a private and secure manner. The NPRM represents HHS’ effort to reconcile and achieve both of these objectives.

HITECH Act Provisions Addressed by the NPRM

The NPRM addresses the following:

  1. Extending the Privacy and Security Rules’ requirements to business associates of covered entities.
  2. Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes.
  3. Prohibiting the sale of protected health information without a valid authorization unless a valid exception applies.
  4. Expanding individuals’ rights to access their information and obtain restrictions on certain disclosures of protected health information to health plans.
  5. Adopting provisions designed to strengthen and expand HIPAA’s enforcement provisions.

The rulemaking does not address:

  1. The breach notification provisions in sections 13402 of the HITECH Act (access Breach Notification Rule) or the modified civil money penalty structure in section 13410(d) of the rel=”noopener noreferrer” HITECH Act (access Enforcement Rule), which have been the subject of previous rulemakings.
  2. The accounting for disclosures requirement in section 13405 of the HITECH Act, which is tied to the adoption of a standard under the HITECH Act at subtitle A of title XIII of American Reinvestment and Recovery Act (ARRA).
  3. The penalty distribution methodology requirement in section 13410(c) of the HITECH Act, which is to be based on recommendations developed at a later date by the Government Accountability Office.

The NPRM will be published in the Federal Register on Wednesday, July 14, 2010. The publication of the NPRM will begin a 60-day comment period. The NPRM is posted on the website of the Office of the Federal Register for public access prior to publication.

New Online HIPAA Resources

HHS also announced the launch of two websites during the audio conference. The first website is designed to assist the public in finding privacy resources throughout HHS. HHS has stated that the purpose of the website is to give the public confidence in health information technology by showcasing HHS’s efforts to protect health information.

The second website is a redesigned version of the breach notification website. Section 13402(e)(4) of the HITECH Act directs the Secretary of HHS to use this website to publicly post breaches of unsecured protected health information affecting 500 or more individuals. The redesigned website enables searches of such breaches and includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of covered entities who have reported breaches of unsecured protected health information to the Secretary.

Other HHS Privacy and Security Initiatives

Additionally, over the past few months, the Office of the National Coordinator for Health Information Technology (ONC) and the OCR have instituted a number of other initiatives including:

  1. The appointment of a new Chief Privacy Officer (CPO). The new CPO position is designed to provide critical advice to the National Coordinator in developing and implementing ONC’s privacy and security programs. Joy Pritts, J.D., has been appointed to the CPO position. According to HHS, Ms. Pritts will play a key role in helping ONC design new policies to address privacy and security issues in every phase of health IT development and implementation.
  2. The creation of Regional Extension Centers to educate providers about necessary privacy and security measures.
  3. The creation of State Health Information Exchange Cooperative Agreements and ONC grants to fund the development of “Beacon Communities” The Beacon Community Cooperative Agreement Program will provide funding to communities to build and strengthen their health information technology infrastructure and exchange capabilities to demonstrate the benefits of healthcare information technology programs.

For more information about these changes, or for guidance to help ensure compliance, please contact us.