Secretary of Health and Human Services Kathleen Sebelius has announced new rules and resources to increase the privacy of health information. Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.
The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:
- expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.
- requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
- setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
- prohibiting the sale of protected health information without patient authorization.
HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.
HHS also launched today a privacy website at http://www.hhs.gov/healthprivacy/index.html to help visitors access information about existing HHS privacy efforts and the policies supporting them.