HHS proposes new privacy, security rules
Diana Manos reports:
Department of Health and Human Services Secretary Kathleen Sebelius announced Thursday new proposed privacy and security rules and resources…. The proposed rules come as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to ensure broader individual rights and stronger protections when third parties handle individually identifiable health information, Sebelius said.[…]
According to Sebelius, the proposed rules would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:
- expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
- requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
- setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
- prohibiting the sale of protected health information without patient authorization.
Strengthening the rules is a worthy effort, but as always, the devil is in the details. The notice of proposed rule making can be found here and public comment period will start July 14 after publication in the Federal Register.
So far, I don’t see any indication that they will undo the harm assessment provision that so many of us complained about as being contradictory to Congress’s language and intention. That is such a glaring problem and it demands remedy.