HHS has proposed a new federal healthcare information privacy rule to amend the Health Insurance Portability and Accountability Act of 1996. Reflecting changes Congress sought last year in the stimulus law, the proposed rule would give patients the right to restrict certain disclosures and ban the sale of patient data without patient consent, according to HHS.
HHS proposes changes to HIPAA privacy rule
According to an HHS announcement made jointly by David Blumenthal, head of the Office of the National Coordinator for Health Information Technology, and Georgina Verdugo, director of the Office for Civil Rights, the proposed rule would:
expand individuals' rights to access their information;
restrict certain disclosures of protected health information to health plans;
extend the applicability of certain of the HIPAA privacy and security rule requirements to the business associates of covered entities;
establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
strengthen and expand OCR's ability to enforce HIPAA's privacy and security provisions.
A 60-day public comment period on the proposed rule opens July 14.
Also due soon from ONC is a final regulation on standards and criteria by which electronic health-records systems will be tested and certified for eligibility in a stimulus law program subsidizing EHR purchases by providers. The regulation would ensure that EHRs contain the technical "capabilities to support needed privacy and security requirements," according to the HHS statement.
The statement also said Joy Pritts, the chief privacy officer at ONC, a position mandated by the stimulus law, "will play a key role in helping ONC design new policies to address privacy and security issues in every phase of health IT development and implementation."
In addition, ONC staff members are working in conjunction with President Barack Obama's cybersecurity initiative "to solicit input from the best security minds in the federal government." Based on these activities, according to the statement, "ONC will provide direction on security best practices and standards to technical and policy decisionmakers for inclusion in health information exchange programs.”
A stimulus-law program run by ONC to create a nationwide system of health IT regional extension centers to help providers select and implement electronic health-record systems will educate providers about necessary privacy and security measures, according to the statement. Curriculum development centers, which are working to assemble educational materials for a stimulus-funded health IT workforce development program, also will incorporate "necessary information” into their programs, and federally funded state health information exchanges and so-called Beacon Communities of health IT excellence “will provide living examples of how privacy and security are successfully implemented and brought to scale."
A copy of the 234-page proposed privacy rule can be found here.
Early reactions to the rule were mixed.
Deborah Peel, an Austin, Texas, psychiatrist and founder of the not-for-profit Patient Privacy Rights Foundation, said she sat in on a conference call Thursday morning when the report was released and asked whether the new rule contains a definition of privacy. Peel suggested a definition offered to HHS by the National Committee on Vital and Health Statistics in 2006, which defined privacy as the right of patients to control the disclosure of their own healthcare information. Peel said she was told by Susan McAndrew, deputy director for privacy in the HHS Office for Civil Rights, that the proposed rule did not define privacy.
“When are they going to adopt a definition of privacy?” Peel said in a telephone interview. Without one, she said, “it's not clear what all of this means.”
In contrast, the Chicago-based American Health Information Management Association, congratulated HHS and OCR on the new rules, writing in a statement that they “give healthcare consumers several advantages.”
“These proposed rules represent a striking of the difficult balance between improving appropriate health information access and transfer with the necessary confidentiality and security of that same information or data, and the very important inclusion of patients and their guardians in these activities,” the AHIMA statement said.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.