On July 8, the Department of Health and Human Services’ Office of Civil Rights released proposed modifications to the HIPAA privacy, security and enforcement rules under the HITECH Act that will have significant impact on the operations of providers and insurers.
The 234-page document details regulatory changes required by provisions of the HITECH Act relating to the privacy and security protections for protected health information.
HHS estimates the new rules, requiring provider and insurers to offer consumers new notices of privacy practices, will cost a total of $166.1 million within 12 months of the effective date of the final rule, with the private sector bearing approximately 71 percent of the costs, and state and federal plans bearing the remaining 29 percent.
Providers and insurers must notify customers that, with few exceptions, the sale of protected health information requires the express written authorization of the individual and that individuals have a right to restrict disclosures of protected health information to a health plan with respect to treatment services for which the individual has paid out of pocket in full.
(HHS said it recognizes that this provision may be difficult for provider organizations to put in practice.)
Many of the changes in the proposed rule make clear that privacy and security provisions extend to business associates of covered entities and that covered entities remains liable for the acts of their business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place.
Because altering business associate agreements takes time, HHS is proposing to allow companies to operate under existing contracts for up to one year beyond the compliance date of the revisions to the rules.
Other restrictions apply to how protected health information can be used in marketing and fundraising. (A covered entity must obtain prior written authorization from an individual to send communications to the individual about non-health- related products or services or to give or sell the individual’s protected health information to a third party for marketing.) Another area the proposed rule deals with is research. HHS is seeking input on whether to allow covered entities to combine authorizations for multiple research studies. For example, a covered entity would be able to combine an authorization permitting the use and disclosure of protected health information associated with a specimen collection for a central repository and authorization permitting use and disclosure of protected health information for a specific clinical research project.
Privacy advocates and attorneys for insurers and provider organizations will now begin studying the proposals and suggesting changes during the next 60 days.
In a prepared statement, Deven McGraw, director of the Center for Democracy & Technology Health Privacy Project, said, "Today's proposals to strengthen privacy and security protections for electronic personal health information are critical for building public trust and support for a nationwide health information network. The public supports electronic health networks but they also have legitimate concerns about the privacy risks. The promise of health information technology to help reform our health care system will fail if policymakers don't take the public's privacy concerns seriously. We look forward to reviewing these proposed regulations and providing comments to HHS."
