The federales announced a new set of HIPAA regulations today (to be published in the Federal Register on July 14) in a press conference featuring Kathleen Sebelius (HHS Secretary), Georgina Verdugo (HHS OCR Director) and David Blumenthal (ONC Director). The HIPAA changes are essentially mandated by the HITECH Act. From the HHS presser:
The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:
- expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
- requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
- setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
- prohibiting the sale of protected health information without patient authorization.
Two new websites were announced as well. One is a beefed-up version of the HIPAA data breach notification wall of shame, and the other is a new HHS privacy website directed at the general public, now up at hhs.gov/healthprivacy. This website, a joint statement from ONC and OCR posted today, and the tenor of the federales' remarks today indicate a deep concern about public perceptions concerning privacy and security of protected health information — sort of a "what if we throw a party and nobody comes?" vibe. This was magnified at today's press conference by comments about maintaining individual patient control over the use and dissemination of protected health information — the proposed rule includes a revised definition of marketing (in the context of using PHI for marketing purposes), and it was interesting to hear how concerns about privacy and marketing were presented (and received, e.g. by the first questioner, patient privacy advocate Deborah Peel). In addition, the HHS listening session road show will kick into gear on this issue because they "want these policies to have the support of the American people."
The meaningful use final rule (which Blumenthal said today would be out "very shortly" and will include additional health care provider data security requirements), and all those HITECH Act incentive dollars and, most importantly, all that highly-anticipated, interoperable-HIT-generated, health care improvement goodness, all depend on patient acceptance of the use of EHRs, so the concern for protection of patient privacy and security is well-placed. It remains to be seen whether the general public is prepared to trust the medical-industrial complex in this way, and whether the medical-industrial complex will be able to either meet the high bar for meaningful use set in the proposed rule, or bend the federales to its will.
Finally, another couple of important nuggets from the NPRM:
- Business Associates get virtually full Covered Entity treatment in the proposed rule, including exposure to the up-to-$1.5m fines … and subcontractors of business associates are reached by the long arm of the law, too.
- Compliance dates for most of the new rules will be 180 days from publication of this rule as a final rule. We get a year to put all of our business associate agreements in order.
- A handful of changes not specifically required by the HITECH Act are thrown in — one example is the inclusion of "reputational harm" in addition to physical or financial harm as potentially aggravating factors in determining the amount of a fine.
I invite all readers to take a look at the NPRM, examine key issues of concern to them, and post observations, comments and questions here — and at regulations.gov once the comment period opens next week.
Update 7/14/2010: Here is the official version of the proposed HIPAA rule amendments on privacy, security and enforcement, from today's Federal Register.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
