Proposed updates to HIPAA Security and Privacy Rules – What is new?

Howard Anderson, Managing Editor,

A proposal to significantly update the HIPAA privacy, security and enforcement rules is designed to ensure that patients’ rights are protected as more health records are digitized and exchanged.

“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers,” says Health and Human Services Secretary Kathleen Sebelius. “While health information technology will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work.”

The “notice of proposed rulemaking” issued July 8 also would create guidelines for giving patients improved access to their records, whether paper or electronic.

“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our healthcare system,” says David Blumenthal, M.D., HHS’ national coordinator for health information technology.

Digging Deep

The HHS Office for Civil Rights prepared the proposed rule, which is required under the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.
Here’s a sampling of its provisions:

Access to Information

If a healthcare organization maintains electronic records, it must offer electronic copies to patients upon request.

The rule includes details on the options for the electronic format for copies, and it would allow organizations to charge a fee to cover its costs. It also would enable patients to request that an electronic record be transmitted to another provider organization.

The rule would enable individuals to obtain restrictions on certain disclosures of information to health plans if they pay out of their own pockets for services.

Business Associates

The rule would extend the applicability of many of the HIPAA privacy and security rules’ requirements to business associates — companies that provide services to “covered entities,” such as hospitals, clinics and insurers, and have access to protected health information.
In a significant addition, the rule would require business associates to sign agreements with their subcontractors to ensure they also comply with HIPAA.

Vendors of personal health records software, health information exchanges, as well as “patient safety organizations,” which receive reports on safety events from healthcare providers, would be added to the list of business associates.

Other examples of business associates, as defined earlier under HITECH, include: third-party administrators, pharmacy benefit managers, claims processors, transcription companies, lawyers and accountants, among others.

The rule would give covered entities a full year after the compliance date to modify their business associate agreements to reflect all the latest HIPAA modifications.


The HITECH Act designated the HHS Office for Civil Rights to enforce the HIPAA privacy and security rules. The notice of proposed rulemaking outlines in great detail the legal definitions of violations and formalizes the higher penalties, of up to $1.5 million in a year, called for under HITECH.
Marketing and Fundraising

The rule would establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes.
It would require organizations to give individuals “a clear and conspicuous opportunity” to opt out of future solicitations. And it would require a healthcare organization to receive authorization from individuals before it could sell their protected health information to others for marketing purposes.

Requests for Comment

The proposed rule repeatedly solicits comments on potential changes and additions to the regulation. For example, it asks for feedback on the use of patient information for research purposes.
OCR accepted comments on the proposal through Sept. 13, 2010.

The proposal does not address the issue of how to give patients an accounting of who has accessed their records, as is required under HITECH. It notes that topic will be tackled in “future rulemakings.”

Also pending are privacy and security provisions in updated rules for the Medicare and Medicaid electronic health records incentive program, expected in the coming days.
In addition, Blumenthal’s staff is working with the President’s cybersecurity initiative and other federal partners “to solicit input from the best security minds in the federal government,” according to a joint statement from Blumenthal and Georgina Verdugo, director of the HHS Office for Civil Rights. These efforts could lead to development of best practices for health information exchanges, they said.

A recently formed “tiger team” also is advising Blumenthal’s office on privacy and security guidelines for HIEs.

Meanwhile, HHS has launched a privacy web site to provide information about the department’s privacy efforts and policies.