HHS proposes stronger privacy protections under HIPAA

Proposed changes to the HIPAA privacy regulations would expand patients' rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek. The plan is a response to the American Recovery and Reinvestment Act, which requires HHS to modify the HIPAA regulations that have been in place since 2003 by strengthening the privacy and security protections for health information.

The proposed rule would strengthen and expand HIPAA privacy, security and enforcement rules by:

  • Expanding individuals' rights to access their information and to restrict certain kinds of disclosures of protected health information to health plans;
  • Requiring business associates of HIPAA-covered entities to follow most of the same rules as the covered entities;
  • Setting new limitations on the use and disclosure of protected health information for marketing and fund raising; and
  • Prohibiting the sale of protected health information without patient authorization.

HHS also unveiled a Health Data Privacy and Security Resources website where you can learn about HHS privacy policies.

"We want to make sure it is possible for patients to have maximal control over PHI," national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement--and the proposal itself--thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule "signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy."

The American Health Information Management Association also came out in favor of the plan. "[T]he new regulations enhance individuals' access and control over EHRs and, therefore, trust in EHRs and the electronic exchange of health information," AHIMA says in a press release. "This is important as our nation works to improve the health of individuals by having accurate health information available where and when it is needed to treat patients."

If any groups are opposed to the changes, we haven't heard from them yet.

To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek 
- take a look at CMIO's article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference

Sandra Yin contributed to this report.

Related Stories:
Tougher penalties for HIPAA violations
HIPAA rule allowing patient info to be used for fundraising solicitation comes under fire
OCR sets rules for sharing HIPAA breach information