New HIPAA rule a delicate balance between privacy, sharing

With the rise of electronic health records and social media use, the newly unveiled HIPAA omnibus rule requires a delicate balancing act for hospitals.

The U.S. Department of Health & Human Services yesterday announced the omnibus rule, which comprises four final rules, to strengthen patient privacy protection.

However, the new rule enhances the tension between complying with HIPAA and meeting the requirements of the HITECH Act and Meaningful Use regulations and forces hospitals to balance the need to maintain patient privacy and the need to share data.

As the industry embraces new care delivery models, including accountable care organizations and integrated delivery systems, data must be exchanged between physicians, hospitals, and ancillary providers to improve care and reduce costs--all while keeping data safe under stricter privacy rules.

"On one hand we have 'protect, protect, protect' and on the other hand we have 'share, share, share," Todd Richardson, vice president and CIO of Wausau, Wis.-based non-profit, community-directed health system Aspirus, Inc., told FierceHealthIT. "While the balance is 'protect and share,' the devil is always in the details," he added.

The final rule also sets new rules for how patient information can be used for marketing and fundraising, and ensures that such information cannot be sold without a patient's permission, FierceHealthIT reported.

Those provisions could land hospitals in hot water, as they continue to use health and demographic data from patient records to target advertisements. But they also could represent a win for patient advocates and privacy groups who have been blasting hospitals for mining patient data to target affluent or privately insured patients.

The final rule will be effective March 26, with a compliance date of Sept. 21.

For more:
- here's the final rule
- read the FierceHealthIT article