With a press conference featuring top officials including HHS Secretary Kathleen Sibelius, the Office of Civil Rights rolled out a 234-page Notice of Proposed Rulemaking on July 8, 2010. The full text is here. The agency described the proposed rulemaking as including significant modifications to the HIPAA Privacy, Security and Enforcement rules, as well as resources and activities to strengthen the privacy of health information and to help Americans understand their rights and resources available to safeguard their personal health information. The notice will appear in the Federal Register on July 14, and comments will be received for 60 days thereafter.
At the same time, HHS issued a statement on Privacy and Security entitled Building Trust in Health Information Exchange, listing the various initiatives it is pursuing. HHS stated that the proposed regulations released today would “expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today.”
Also announced today was a new HHS website for Health Data Privacy and Security Resources, http://www.hhs.gov/healthprivacy, and a revamped format for its online listing of breaches affecting more than 500 individuals . HHS reports that such breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.
Next up on the HHS agenda – the final “meaningful use” standards, which will clarify the minimum capabilities for the implementation of electronic medical records systems to qualify for federal subsidies beginning next year.