HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

July 8, 2010

The federales announced a new set of HIPAA regulations today (to be published in the Federal Register on July 14) in a press conference featuring Kathleen Sebelius (HHS Secretary), Georgina Verdugo (HHS OCR Director) and David Blumenthal (ONC Director).  The HIPAA changes are essentially mandated by the HITECH Act.  From the HHS presser:

The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

  • expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • prohibiting the sale of protected health information without patient authorization.

Two new websites were announced as well.  One is a beefed-up version of the HIPAA data breach notification wall of shame, and the other is a new HHS privacy website directed at the general public, now up at hhs.gov/healthprivacy.  This website, a joint statement from ONC and OCR posted today, and the tenor of the federales' remarks today indicate a deep concern about public perceptions concerning privacy and security of protected health information — sort of a "what if we throw a party and nobody comes?" vibe.  This was magnified at today's press conference by comments about maintaining individual patient control over the use and dissemination of protected health information — the proposed rule includes a revised definition of marketing (in the context of using PHI for marketing purposes), and it was interesting to hear how concerns about privacy and marketing were presented (and received, e.g. by the first questioner, patient privacy advocate Deborah Peel).  In addition, the HHS listening session road show will kick into gear on this issue because they "want these policies to have the support of the American people." 

The meaningful use final rule (which Blumenthal said today would be out "very shortly" and will include additional health care provider data security requirements), and all those HITECH Act incentive dollars and, most importantly, all that highly-anticipated, interoperable-HIT-generated, health care improvement goodness, all depend on patient acceptance of the use of EHRs, so the concern for protection of patient privacy and security is well-placed.  It remains to be seen whether the general public is prepared to trust the medical-industrial complex in this way, and whether the medical-industrial complex will be able to either meet the high bar for meaningful use set in the proposed rule, or bend the federales to its will.

Finally, another couple of important nuggets from the NPRM: 

  • Business Associates get virtually full Covered Entity treatment in the proposed rule, including exposure to the up-to-$1.5m fines … and subcontractors of business associates are reached by the long arm of the law, too.
  • Compliance dates for most of the new rules will be 180 days from publication of this rule as a final rule.  We get a year to put all of our business associate agreements in order.
  • A handful of changes not specifically required by the HITECH Act are thrown in — one example is the inclusion of "reputational harm" in addition to physical or financial harm as potentially aggravating factors in determining the amount of a fine.

I invite all readers to take a look at the NPRM, examine key issues of concern to them, and post observations, comments and questions here — and at regulations.gov once the comment period opens next week.

Update 7/14/2010:  Here is the official version of the proposed HIPAA rule amendments on privacy, security and enforcement, from today's Federal Register.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Privacy

you might also like:

  1. HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. HIPAA disclosure accounting rules, revisited per the HITECH Act

« HealthBlawg nominated to LexisNexis Top 50 Blogs in their Insurance Law Community
Meaningful Use: The Final Rule »

Follow me on Twitter

David Harlow πŸ’‰πŸ˜· Follow 43,243 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
19m 1641120626864799747

ICYMI> Osagie Ebekozien MD, Chief Medical Officer, T1D Exchange β€” Harlow on Healthcare https://healthblawg.com/2022/02/ebekozien-t1dexchange-harlowonhealthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Osagie Ebekozien MD, Twitter feed image.
Reply on Twitter 1641120626864799747 Retweet on Twitter 1641120626864799747 0 Like on Twitter 1641120626864799747 0 Twitter 1641120626864799747
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
3h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
7h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation β€” Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]