The expected rules and other regulatory plans are part of HHS' semi-annual regulatory agenda, published Dec. 20 in the Federal Register. The new HIPAA rule follows a proposed rule issued in July 2010 to strengthen protection of health data and other sensitive information. The proposed rule requires subcontractors of business associates to comply with the same responsibilities of business associates in securing the integrity and confidentiality of protected health information. Other proposed provisions included:
* Make requirements under the privacy and security rules applicable to business associates in the same manner they presently apply to covered entities. Under the proposed rule, patient safety organizations now are defined as business associates.
* Require business associates to obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.
* Restrict marketing activities by redefining "marketing," which will limit health-related communications that may be considered "health care operations." The proposed rule would require covered entities receiving payment for making certain communications to obtain authorization from individuals before making the communications.
* Define uses and disclosures of protected health information for which individual authorization is required, such as the sale of PHI. In the proposed rule, OCR asks for additional public comment on uses and disclosures of PHI for research purposes.
* Require recipients of fundraising communications with a clear and conspicuous opportunity to opt out of receiving future communications, making clear that opting out will not affect future treatment of the individual. Fundraising communications may not be sent to individuals who have not expressly opted to receive them. Privacy notices must include a statement that an organization intends to send such communications and that an individual can opt out.
* Require notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.
* Enable individuals to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.
* Strengthen the right of individuals to obtain their electronic health records.
* Increase civil money penalties for violations of requirements to protect the privacy and security of protected health information, with fines of up to $1.5 million in a single calendar year for violations of the same requirement.
* Define "reasonable cause," "reasonable diligence," and "willful neglect," the definition of which are the basis for setting monetary penalty amounts.
* Outline the responsibilities of covered entities during complaint investigations and compliance reviews.
The proposed unique identifier rule would require the Food and Drug Administration to establish identification numbers for medical devices that will adequately identify a device through distribution and use and may include information on the lot or serial number, according to a FDA abstract in the semi-annual regulatory plan.
"A unique device identification system will help reduce medical errors; will allow FDA, the healthcare community and industry to more rapidly review and organize adverse event reports; identify problems (even down to a particular lot or batch, range of serial numbers, or range of manufacturing or expiration dates); and thereby allow for more rapid, effective, correction actions that focus sharply on the specific devices that are of concern," according to the abstract.
The semi-annual regulatory agenda is available here.