HHS releases long-awaited proposed HIPAA enforcement rule

The new proposed rule for HIPAA enforcement details compliance initiatives for health care providers and payers to secure patient data in the electronic era. The comment period begins July 14.

The U.S. Department of Health & Human Services (HHS) released today its proposed rule for enforcement of the Health

Insurance Portability and Accountability Act (HIPAA).

February 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA enforcement and introduced new rules, such as holding health care providers and business associates to the same privacy standards and liabilities, and publishing notices of data breaches involving 500 or more patients. Different pieces of the law went into effect Feb. 18, 2009, and Feb. 18, 2010, while others pieces go into effect next Feb. 18.

That left some health care stakeholders wondering how much time they had to comply with the particulars of the new rules. These include limiting uses and disclosure of protected health information (PHI) for marketing, prohibiting the sale of PHI without patient authorization, expanding individuals' rights to access their information, and restricting certain PHI disclosures to health plans.

The HITECH Act gave HHS the authority to determine how these new rules will be enforced. Health care stakeholders likely will be breathing a little easier today, because the proposed rule states that providers, payers and their business associates will have 180 days to reach HIPAA compliance after it goes into effect. That won't happen until the end of a 60-day comment period, which begins July 14, and a revision of the rule based on the comments.

"We recognize that it will be difficult for covered entities and [HIPAA] business associates to comply with the statutory provisions until after we have finalized our changes to the HIPAA rules," HHS wrote in its proposed rule. "In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule's provisions."

HIPAA business associates redefined

In light of the federal initiative to expand electronic prescribing and health information exchange, the agency proposes that health information organizations (HIO), caretakers of e-prescribing gateways, personal health records systems vendors and others who facilitate data transmission be covered as HIPAA business associates.

Subcontractors of business associates, too, would be newly subject to HIPAA compliance under the proposal. In the proposed rule, they are defined as "downstream entities that work at the direction of or on behalf of a business associate and handle protected health information," but the rule also requests feedback from stakeholders on how they should be defined. It also does away with the regulatory term individually identifiable health information -- a phrase HIPAA compliance experts know well -- which was what business associates previously had to protect.

Under the HITECH Act's proposed HIPAA enforcement rules, everyone now is held to the regulatory definitions and standards surrounding PHI, making the former classification obsolete.

Intranets, VoIP addressed in proposed HIPAA enforcement rule

Without calling Voice over Internet Protocol by name, the proposed rule also mentions intranets as "electronic media," which by association covers patient information spoken over VoIP systems. This moves VoIP communications into the HIPAA enforcement realm of data on hard drives or transmitted over the Internet, where before it might have been an exception.

As we enter into a new age of electronic health information exchange, it is more important than ever to ensure consumer trust in the privacy and security of their health information.

Dr. David Blumenthal, national coordinator for health IT; Georgina Verdugo, director, Office of Civil Rights

"The [previous] definition assumed that no transmissions made by voice via telephone existed in electronic form before transmission; the evolution of technology has made this assumption obsolete," HHS wrote in the rule.

The 234-page document includes many other changes and updates to accommodate geographical changes, technological advances, and lessons learned from a decade and a half of HIPAA enforcement. Highlights of the proposed changes include the following:

• HIPAA legislation does not protect individually identifiable health information of people who have been dead more than 50 years.

• HIPAA protections extend to American Samoa and the Commonwealth of the Northern Mariana Islands.

• The proposed rule removes the requirement for attempts of informal resolution of cases of willful neglect, meaning investigators can move straight to hearings and proposed penalties without informal proceedings.

• Covered entities must furnish an electronic copy of health records to patients who demand them, if they exist in a "readily producible format." They can charge for this, just as they do today when they provide patients with paper copies but are limited to just the cost of the media (or no media charge if the patient provides it, such as a thumb drive), plus a labor cost for "reviewing and preparing" the copy.

ONC weighs in on HIPAA compliance, data security

As part of HHS, the Office of the National Coordinator for Health IT influenced the proposed rule so that it would gel with the ONC's mandate to wean both public and private health care providers off paper and build an electronic network of health care data exchange. National Coordinator Dr. David Blumenthal and Georgina Verdugo, director of the Office for Civil Rights within HHS, said in a joint statement that they will work with industry and consumer groups to implement more privacy and security safeguards surrounding health data.

To aid health care providers in keeping PHI secure, ONC outlined a number of initiatives that it's taking, such as consulting with President Barack Obama's cybersecurity brain trust to "provide direction on security best practices and standards to technical and policy decision makers for inclusion in health information exchange programs."

According to the joint statement, "As we enter into a new age of electronic health information exchange, it is more important than ever to ensure consumer trust in the privacy and security of their health information and in the industry's use of new technology."

The statement also encouraged consumers, as well as providers and other stakeholders, to offer their take on the draft rule. The 60-day public comment period for the proposed HIPAA rule opens July 14. Information about posting comments will be available at the Regulations.gov website.

Let us know what you think about the story; email Don Fluckinger, Features Writer.

Dig deeper on Electronic health records privacy compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.