ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

David HarlowThe federales announced a new set of HIPAA regulations today (to be published in the Federal Register on July 14) in a press conference featuring Kathleen Sebelius (HHS Secretary), Georgina Verdugo (HHS OCR Director) and David Blumenthal (ONC Director).  The HIPAA changes are essentially mandated by the HITECH Act.  From the HHS presser:

The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

  • expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • prohibiting the sale of protected health information without patient authorization.

Two new websites were announced as well.  One is a beefed-up version of the HIPAA data breach notification wall of shame, and the other is a new HHS privacy website directed at the general public, now up at hhs.gov/healthprivacy.

This website, a joint statement from ONC and OCR posted today, and the tenor of the federales’ remarks today indicate a deep concern about public perceptions concerning privacy and security of protected health information — sort of a “what if we throw a party and nobody comes?” vibe.

This was magnified at today’s press conference by comments about maintaining individual patient control over the use and dissemination of protected health information — the proposed rule includes a revised definition of marketing (in the context of using PHI for marketing purposes), and it was interesting to hear how concerns about privacy and marketing were presented (and received, e.g. by the first questioner, patient privacy advocate Deborah Peel).  In addition, the HHS listening session road show will kick into gear on this issue because they “want these policies to have the support of the American people.”

The meaningful use final rule (which Blumenthal said today would be out “very shortly” and will include additional health care provider data security requirements), and all those HITECH Act incentive dollars and, most importantly, all that highly-anticipated, interoperable-HIT-generated, health care improvement goodness, all depend on patient acceptance of the use of EHRs, so the concern for protection of patient privacy and security is well-placed.  It remains to be seen whether the general public is prepared to trust the medical-industrial complex in this way, and whether the medical-industrial complex will be able to either meet the high bar for meaningful use set in the proposed rule, or bend the federales to its will.

Finally, another couple of important nuggets from the NPRM:

  • Business Associates get virtually full Covered Entity treatment in the proposed rule, including exposure to the up-to-$1.5m fines … and subcontractors of business associates are reached by the long arm of the law, too.
  • Compliance dates for most of the new rules will be 180 days from publication of this rule as a final rule.  We get a year to put all of our business associate agreements in order.
  • A handful of changes not specifically required by the HITECH Act are thrown in — one example is the inclusion of “reputational harm” in addition to physical or financial harm as potentially aggravating factors in determining the amount of a fine.

I invite all readers to take a look at the NPRM, examine key issues of concern to them, and post observations, comments and questions here — and at regulations.gov once the comment period opens next week.

Spread the love

Categories: Uncategorized

10 replies »

  1. @ciphertext — Yes, EHRs make both use and misuse easier. The government has decided that ease of use, and attendant expected improvements in health care, health outcomes and efficiencies outweigh potentially easier misuse (which the government is trying to make harder, through this proposed rule, among others). Many have argued the point on this blog and elsewhere, one way and the other. The law is already well-settled that the patient “owns” the data. Problem is, the provider “owns” the record and has – and needs – physical (or electronic) control in order to use it for the benefit of the patient. The thing to do at this juncture would be for providers to revise their Notices of Privacy Practices (they will have to anyway once the HIPAA NPRM is finalized) to address patient control/access voluntarily, even if not mandated by the rule. For more on this idea, see: http://j.mp/qbGoj

  2. In an increasingly “connected” society, especially one in which personal (and non-personal) information is stored as digital data (think 0’s and 1’s); that can be copied and duplicated with exacting precision (unlike the degradation of paper copies during the copying process); and can be further communicated at near the speed of light; privacy will no longer be tenable. Previously, data was “silo’d” at physicians offices, hospital complexes, personal residences. It wasn’t easily accessible, as it required lengthy processes for transmittal (mail, courier, personal delivery, etc…) and a single instance of the information (i.e. “the document”) was viewable by a single person at one time. Possibly a small group if it was projected onto a wall or read at the same time by the individual (i.e. X-rays). There is an inherent protection available to this data caused by its inaccessibility and its medium. Today, we trade that level of security for the convenience of having that information instantly obtainable by another individual “for authorized purposes”. I’m not saying that the decidedly “old-school” paper documents didn’t have copies that “wound up in the wrong hands”, I’m just saying that it was more difficult. If you really wanted privacy of your information, then the patient should “own” the data. That is to say that neither the health insurance agencies, nor medical community at large could have legal claim over the information. Perhaps only over the accuracy of information provided by them (for liability concerns). The problem is, I don’t think the average person would have the capability to manage their own health information records in a secure and responsible manner. However, by “empowering” the patient to be the responsible party, would eliminate a lot of regulatory headache. In my opinion, anyway. Besides, there could be a lucrative business entity to make maintaining your health information “easier”. Think of Quicken for Health.

  3. I’m sick because of this HIPAA crap. My Mom is in PCU and those SOBs there won’t give me any info on her. They tell me that my brother is on some proxy, but I don’t know how that even happened. I went through this not long ago with a good friend who had no family. If Mom’s life is in danger, I want to know about it and be there. Now I can’t be until 9am!

  4. Another important point on pages 163-164 HHS states that HHS expects folks who have signed business associate agreements to live up to their promises, ie have policies and procedures in place, etc. So the other deadlines are moot, if you have signed an agreement you must be compliant, now.

  5. Pronouncements about privacy are not worth the space they take up on the hard drive.
    Data is being stolen , lost and usurped all of the time, facilitated by clinically disruptive HIT. What good is this crap? Even the Leapfrog Group has awakened that they are liable for their flawed and negligent recommendations coercing hosptials to buy CPOE devices.

Leave a Reply

Your email address will not be published.