Feds Propose Tighter Privacy Rules for Health IT

Proposed rule changes from the U.S. Department of Health and Human Services would broaden privacy under HIPAA, administration said.

by / July 8, 2010

The U.S. Department of Health and Human Services (HHS) intends to "expand and strengthen" privacy rules in order to protect Americans' electronic health records, the department's secretary announced Thursday, July 8.

Proposed rule changes to the Health Information Portability and Accountability Act of 1996 (HIPAA) unveiled Thursday would "include broader individual rights and stronger protections when third parties handle individually identifiable health information," according to the HHS.

The new rules come as the federal government, health providers and private companies have begun working together to set standards and build out networks for health information exchange and electronic health records.

"The purpose of these modifications is to implement recent statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH), to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA rules," according to the notice of proposed rulemaking.

According to the HHS, the new rules would:

  • expand individuals' rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • require business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • set new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • prohibit the sale of protected health information without patient authorization.

"The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times," said Georgina Verdugo, Office for Civil Rights director at HHS. "This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration's efforts to broaden the use of health information technology in health care today."