HHS: Privacy Rule Changes Coming
The Department of Health and Human Services is scheduled in May to issue a proposed rule making a series of modifications to the HIPAA privacy and security rules mandated under the HITECH Act.
Other expected regulations include a proposed rule in October to revise the electronic submission of clinical trials data covering human drugs and biologics, and a proposed rule in December to establish a unique identification system for medical devices.
Details of the privacy/security rule modifications are not included in the department's April 26 release of its semi-annual regulatory agenda, which identifies actions the department intends to take. And deadlines for anticipated actions are not always accurate. HHS missed a HITECH-imposed February 2010 deadline to issue a number of proposed rules that would:
* Clarify that certain entities are business associates and extend certain privacy and security rule provisions to business associates;
* Modify privacy rule provisions regarding the right to request restrictions, minimum necessary, access, marketing and fundraising; and
* Modify the HIPAA enforcement rule to implement revised and enhanced penalties for privacy rule violations.
Other regulations with HITECH-imposed deadlines of June or August that may or may not be in the rule expected in May include:
* Modify the privacy rule's accounting of disclosures provisions;
* Improve enforcement of the privacy rule, including enhanced penalties for serious violations; and
* Modify the privacy rule to generally prohibit exchanging health information for remuneration without individual authorization.
The semi-annual regulatory agenda does not include final rules to implement Medicare/Medicaid incentive programs and define meaningful use of electronic health records; establish an initial set of data standards for health information exchange and implementation specifications, and create EHR certification programs and criteria. Federal officials have consistently noted these rules are expected in late spring or early summer. HHS published the agenda in the April 26 Federal Register, available at federalregister.gov.
HITECH also mandates HHS during 2010 to issue a series of guidance documents, several of which had a missed February deadline, covering the privacy and security of health information. The guidance covers:
* Technical safeguards to carry out security;
* Privacy rule requirements for de-identification of protected health information;
* The privacy rule's definition of "psychotherapy notes" with regard to including certain test data and mental health evaluations; and
* What constitutes "minimum necessary" for purposes of the privacy rule, such as disclosures of protected health information.