HHS' Office for Civil Rights has posted proposed changes to rules regarding the disclosure of patients' health information that could give patients more insight into how their information is shared.
HHS proposes changes to HIPAA records-sharing rules
The 95-page proposed rule (PDF), to be published in the May 31 issue of the Federal Register, proposes changes to the privacy regulations under the 1996 Health Insurance Portability and Accountability Act.
The Civil Rights Office has enforcement authority for the HIPAA privacy rule and said the proposed rule reflects changes mandated by the Health Information Technology for Economic and Clinical Health Act, or HITECH, which are part of the American Recovery and Reinvestment Act of 2009. However, the Civil Rights Office noted that it also is looking to exercise the "more general authority" granted to it through HHS under HIPAA itself.
The rule comes less than two weeks after audit reports by HHS' inspector general's office took the Civil Rights Office, the CMS and the Office of the National Coordinator for Health Information Technology to task on what they found to be lagging efforts to enforce HIPAA security provisions and promote health information security.
HITECH added to HIPAA requirements establishing how patients could find out how their medical records were being used and shared. Under HITECH, covered entities using electronic health-record systems are required to be able to account for—and report to patients about, at their request—disclosures of personal medical records including those related to patients' treatment, payment and other healthcare operations.
The new proposed rule, however, goes much further than HITECH, according to Kirk Nahra, a lawyer specializing in healthcare privacy with the Washington firm of Wiley Rein.
"It's not limited to disclosure," Nahra said. "It includes use and business associates." Uses would presumably include e-mails between providers, Nahra said. "It's a phenomenally broad proposal." Nahra said the proposed accounting and electronic report-making requirements outrun available technology and that the rulemakers "basically acknowledge it's not there yet."
A patient's right to demand from covered entities an accounting of disclosures of their medical records other than for treatment, payment and other healthcare operations "is a right that's been in HIPAA for a long time that very few people have used," Nahra said. "The thought was, let's balance the benefits with the burden. I don't think (the rulemakers) realize the burden that will be in place if this rule gets finalized the way it's written."
A public comment period on the rule runs for 60 days from the May 31 publication date.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.