Friday, September 30, 2011

HIPAA Privacy Rule Changes on the Horizon

The Department of Health and Human Services Office for Civil Rights in 2010 published a proposed rule, mandated under the HITECH Act, to make multiple changes to the HIPAA privacy, security and enforcement rules.

OCR is now in the late stages of finalizing an “omnibus” final rule that would make significant changes to those HIPAA rules, and the breach notification rule. Following are a series of privacy rule changes proposed by the government.

Expanding Associates

The OCR proposes to make requirements under the privacy and security rules applicable to business associates in the same manner they presently apply to covered entities.

In addition, it would expand the definition of “business associate” to include health information exchanges, health information organizations, electronic prescribing gateways, patient safety organizations and vendors selling personal health records for covered entities to offer to patients.

Satisfactory Assurances

The proposed rule would require business associates to obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules.

Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.

Redefining 'Marketing'

The OCR would restrict marketing activities by redefining "marketing," which will limit health-related communications that may be considered "health care operations."

The proposed rule would require covered entities receiving payment for making certain communications to obtain authorization from individuals before making the communications.

PHI Authorization
One proposed change is to define uses and disclosures of protected health information for which individual authorization is required, such as the sale of PHI.

In the proposed rule, OCR asks for additional public comment on uses and disclosures of PHI for research purposes.

Firming up Fundraising

OCR proposes to require recipients of fundraising communications be given a clear and conspicuous opportunity to opt out of receiving future communications, making clear that opting out will not affect future treatment of the individual.

Fundraising communications may not be sent to individuals who have not expressly opted to receive them. Privacy notices must include a statement that an organization intends to send such communications and that an individual can opt out

Patient Control

Changes on the table include requiring notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.

In addition, individuals would be allowed to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.

The proposed changes would also strengthen the right of individuals to obtain their electronic health records

Increasing Financial Penalties

The OCR wants to increase civil money penalties for violations of requirements to ensure the privacy and security of protected health information, with fines of up to $1.5 million in a single calendar year for violations of the same requirement.

-Health Data Management

No comments:

Post a Comment