The Department of Health and Human Services (HHS) issued a notice of proposed rulemaking to modify the Privacy, Security, and Enforcement Rules issued in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Health Information Technology for Economic and Clinical Health (HITECH) Act promotes the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules, according to a press release.
The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain privacy and security rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.
“This proposed rule strengthens the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in healthcare today,” Georgina Verdugo, director of the HHS Office for Civil Rights (OCR), stated in a press release.
In addition to issuing the notice of proposed rulemaking, OCR also updated its breach notification webpage. Breaches of unsecured protected health information affecting 500 or more individuals that are reported to the secretary are now posted in a new, more accessible format that allows users to search and sort the reported breaches.