HHS has new proposed rules for HIPAA modifications
July 09, 2010
by Astrid Fiano, DOTmed News Writer
The Department of Health and Human Services (HHS) issued a notice of proposed rule making to implement HITECH Act modifications. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires HHS to modify the Health Insurance Portability and Accountability Act (HIPAA) privacy, security and enforcement rules to strengthen the privacy and security protections for health information.
Some highlights of the proposed modifications to the HIPAA rules include:
Business Associates
--A proposal to make clear that the security provisions also apply to business associates. Business associates can include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies and persons who perform legal, actuarial, accounting, management or administrative services for covered entities and require access to protected health information.
--In addition, HHS proposes to modify the definition of "business associate" to explicitly designate a health information exchange organization, e-prescribing gateway, or regional health information organization as business associates. HHS also proposes to amend the definition of "business associate" to include subcontractors. HHS also proposes to add patient safety activities to the list of functions and activities give rise to a business associate relationship.
Marketing
--The proposals establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes. HHS proposes to maintain the general definition of marketing as "making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." HHS wants to propose to include three exceptions to the definition.
The first exception would be a health care operations communication, such as one describing a health-related product or service that is provided by the covered entity making the communication. The second exception would be for communications regarding refill reminders currently being prescribed for the individual. The third exception would be communications about health-related products or services by a health care provider to an individual.
--HHS is also proposing to require a covered entity to obtain an authorization for any disclosure of protected health information in exchange for direct or indirect remuneration. The authorization must state that the disclosure will result in remuneration to the covered entity.
Fundraising
--The rule permits a covered entity to use or disclose to a business associate or an institutionally-related foundation certain information (demographic data and dates of health care provided) without authorization. Any covered entity planning to use or disclose protected health information for fundraising needs to offer individuals, in its fundraising materials, a description of how the individual may opt out of future fundraising communications.
HHS proposes to strengthen the opt-out by requiring that a covered entity provide with each fundraising communication under these provisions, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. HHS wants a requirement that the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden. In addition, a covered entity may not condition treatment or payment on an individual's choice with respect to receiving fundraising communications.
Access to One's Own Information
--HHS proposes a requirement that if the protected health information requested is maintained electronically, the covered entity must provide access to the electronic information in the electronic form and format requested by an individual.
Enforcement
--The proposed rule includes an amendment providing that HHS will investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect.
Finally, HHS proposes to modify the definition of "protected health information" to provide that the privacy and security rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.
The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov, using the identifying code RIN 0991-AB57. Comments can also be submitted by mail, one original and two copies, to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Privacy and Security Rule Modifications, Hubert H. Humphrey Building, Room 509F, 200 Independence
Avenue, S.W., Washington, D.C. 20201.
Read the full proposed rules here: http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf
Some highlights of the proposed modifications to the HIPAA rules include:
Business Associates
--A proposal to make clear that the security provisions also apply to business associates. Business associates can include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies and persons who perform legal, actuarial, accounting, management or administrative services for covered entities and require access to protected health information.
--In addition, HHS proposes to modify the definition of "business associate" to explicitly designate a health information exchange organization, e-prescribing gateway, or regional health information organization as business associates. HHS also proposes to amend the definition of "business associate" to include subcontractors. HHS also proposes to add patient safety activities to the list of functions and activities give rise to a business associate relationship.
Marketing
--The proposals establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes. HHS proposes to maintain the general definition of marketing as "making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." HHS wants to propose to include three exceptions to the definition.
The first exception would be a health care operations communication, such as one describing a health-related product or service that is provided by the covered entity making the communication. The second exception would be for communications regarding refill reminders currently being prescribed for the individual. The third exception would be communications about health-related products or services by a health care provider to an individual.
--HHS is also proposing to require a covered entity to obtain an authorization for any disclosure of protected health information in exchange for direct or indirect remuneration. The authorization must state that the disclosure will result in remuneration to the covered entity.
Fundraising
--The rule permits a covered entity to use or disclose to a business associate or an institutionally-related foundation certain information (demographic data and dates of health care provided) without authorization. Any covered entity planning to use or disclose protected health information for fundraising needs to offer individuals, in its fundraising materials, a description of how the individual may opt out of future fundraising communications.
HHS proposes to strengthen the opt-out by requiring that a covered entity provide with each fundraising communication under these provisions, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. HHS wants a requirement that the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden. In addition, a covered entity may not condition treatment or payment on an individual's choice with respect to receiving fundraising communications.
Access to One's Own Information
--HHS proposes a requirement that if the protected health information requested is maintained electronically, the covered entity must provide access to the electronic information in the electronic form and format requested by an individual.
Enforcement
--The proposed rule includes an amendment providing that HHS will investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect.
Finally, HHS proposes to modify the definition of "protected health information" to provide that the privacy and security rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.
The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov, using the identifying code RIN 0991-AB57. Comments can also be submitted by mail, one original and two copies, to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Privacy and Security Rule Modifications, Hubert H. Humphrey Building, Room 509F, 200 Independence
Avenue, S.W., Washington, D.C. 20201.
Read the full proposed rules here: http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf