A news release from the Department of Health and Human Services (HHS) said the department is proposing changes to the privacy, security, and enforcement rules in the Health Insurance Portability and Accountability Act (HIPAA).
According to the announcement, the changes would:
- Expand individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
- Require business associates of HIPAA-covered entities to be under most of the same rules as the covered entities. An article on the Compliance Week Web site said, the proposals extend all of the HIPAA enforcement provisions, and many of the privacy and security requirements to organizations such as billing providers, accountants, lawyers and consultants. Many of the rules would also apply to subcontractors of business associates under the proposal;
- Set new limitations on the use and disclosure of protected health information for marketing and fundraising; and
- Prohibit the sale of protected health information without patient authorization.
“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers,” said HHS Secretary Kathleen Sebelius, in the news release. “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”
The proposed rule is at http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf. HHS also launched a privacy Web site at http://www.hhs.gov/healthprivacy/index.htmlto provide access information about existing HHS privacy efforts.