July 12, 2010
On July 8, 2010, the Department of Health and Human Services (HHS) held an audio conference to announce a new notice of proposed rulemaking (NPRM) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The NPRM proposes modifications to the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), Security Standards for the Protection of Electronic Protected Health Information (Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.
According to HHS, the purpose of the modifications is to implement recent statutory amendments under the HITECH Act in order to strengthen the privacy and security protection of health information. HHS states that its goal, as mandated by the HITECH Act, is to “improve the nation’s health care system by enabling health information to follow the patient wherever and whenever it is needed.” At the same time, HHS recognizes that the benefits of health information technology can only be fully realized if patients and providers are confident that electronic health information is maintained in a private and secure manner. The NPRM represents HHS’ effort to reconcile and achieve both of these objectives.
HITECH Act Provisions Addressed by the NPRM
The NPRM addresses the following:
The rulemaking does not address:
The NPRM will be published in the Federal Register on Wednesday, July 14, 2010. The publication of the NPRM will begin a 60-day comment period. The NPRM is posted on the website of the Office of the Federal Register for public access prior to publication.
New Online HIPAA Resources
HHS also announced the launch of two websites during the audio conference. The first website is designed to assist the public in finding privacy resources throughout HHS. HHS has stated that the purpose of the website is to give the public confidence in health information technology by showcasing HHS’s efforts to protect health information.
The second website is a redesigned version of the breach notification website. Section 13402(e)(4) of the HITECH Act directs the Secretary of HHS to use this website to publicly post breaches of unsecured protected health information affecting 500 or more individuals. The redesigned website enables searches of such breaches and includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of covered entities who have reported breaches of unsecured protected health information to the Secretary.
Other HHS Privacy and Security Initiatives
Additionally, over the past few months, the Office of the National Coordinator for Health Information Technology (ONC) and the OCR have instituted a number of other initiatives including:
For more information about these changes, or for guidance to help ensure compliance, please contact us.