Health IT and Electronic Health Activate your FREE membership today |  Log-in
5 pts.
 Effects of privacy rule provisions next month?
DHHS is set to release provisions to the privacy rule next month per their May inventory of regulations that was published in the April 26 Federal Register. As there hasn't been any other details released, what do you think these provisions will ential? Effects on both group practice owners and hospitals alike?
ASKED: April 27, 2010  6:30 PM
UPDATED: April 28, 2010  2:52 pm

Answer Wiki:
It seems most likely that the forthcoming rules will make explicit several of the changes in the privacy portion of the HITECH Act (Subtitle D, sections 13400-13410). Based on <a href="http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html">a short note posted by HHS</a>, the current focus seems to be on business associate liability for complying with HIPAA Privacy and Security Rule requirements; limits on the sale of protected health information; improve right of access by individuals to their health data; and new restrictions on personal data disclosure. Looking at the text of the law in these areas, I'd expect the rules to cover the following. <ul> <li>The change in liability for business associates (§13401), which under HIPAA had no direct accountability for violations of the Privacy or Security rules (instead, the covered entity with which the business associate had a contractual agreement was liable for its business associates' violations). Now business associates are directly accountable for violations, including being subject to the civil and criminal penalties for violations that were also strengthened in HITECH.</li><li>Restrictions on the sale of protected health information, without explicit consent by the individual, subject to several exceptions (§13405(d)), notably including purposes of public health, research, treatment, health care operations, or situations such as providing an individual with a copy of his or her record (yes, they can charge you for that) or moving data between covered entities and business associates doing processing on behalf of the entity.</li><li>The requirement that individual be able to get a copy of whatever data a covered entity has stored electronically about the individual, and/or to direct that information to a designated entity (like a new doctor). (§13405(e)) This one might seem counter-intuitive, as most people believe that they own their own health record data, but that's just a privacy principle, not a legal right. This provision in HITECH doesn't resolve the data ownership question, but it does give you the right to request your data, and obligates the entity to give it to you; it also says any fee you are charged can't be more than the entity's labor cost to give the record to you.</li><li>New rules limiting the amount of data disclosed about an individual. (§13405(a)) This provision in the law has a couple of different aspects. First, there is a rule that says if you ask a covered entity (say, your doctor) not to disclose your personal health information, and you pay out of pocket for the services you receive from the entity, then the entity has to comply with your request not to disclose the data, unless the request to disclose is for treatment. Under HIPAA, disclosure for treatment, payment, or for the somewhat-vaguely-defined "health care operations" did not require the entity to get your consent or even to comply with your wishes about disclosure if you had expressed them. This rule changes that, except in cases of treatment. This section of the law also obligates an entity that disclosed protected health information to the minimum necessary for the purpose for which the data was requested. This means for example that someone should not disclose your whole medical record to someone asking for information about payment for a specific service you received. This part of the rules will be interesting to see because the determination of "minimum necessary" is left up to the entity doing the disclosing, and there really are no standards or guidelines on what the minimum data is for any of the anticipated purposes for use in health information exchange.</li> </ul>
Last Wiki Answer Submitted:  April 28, 2010  2:52 pm  by  SteveGonHIT   250 pts.
All Answer Wiki Contributors:  SteveGonHIT   250 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: