The Department of Health and Human Services' Office for Civil Rights has released a proposed rule to modify and strengthen provisions of the HIPAA privacy, security and enforcement rules. The enforcement rule covers the HIPAA administrative simplification, privacy, security and breach notification rules.

The proposed rule, on a fast early read, does not appear to mandate encryption of protected health information. Changes proposed in the new rule from OCR are authorized under the HITECH Act. The rule is available to view and download on the Federal Register's Public Inspection Desk at It will be officially published in the Federal Register on July 14. Provisions of the rule include:

* Make requirements under the privacy and security rules applicable to business associates in the same manner they presently apply to covered entities. Under the proposed rule, patient safety organizations now are defined as business associates.

* Require business associates to obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.

* Restrict marketing activities by redefining "marketing," which will limit health-related communications that may be considered "health care operations." The proposed rule would require covered entities receiving payment for making certain communications to obtain authorization from individuals before making the communications.

* Define uses and disclosures of protected health information for which individual authorization is required, such as the sale of PHI. In the proposed rule, OCR asks for additional public comment on uses and disclosures of PHI for research purposes.

* Require recipients of fundraising communications with a clear and conspicuous opportunity to opt out of receiving future communications, making clear that opting out will not affect future treatment of the individual. Fundraising communications may not be sent to individuals who have not expressly opted to receive them. Privacy notices must include a statement that an organization intends to send such communications and that an individual can opt out.

* Require notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.

* Enable individuals to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.

* Strengthen the right of individuals to obtain their electronic health records.

* Increase civil money penalties for violations of requirements to protect the privacy and security of protected health information, with fines of up to $1.5 million in a single calendar year for violations of the same requirement.

* Define "reasonable cause," "reasonable diligence," and "willful neglect," the definition of which are the basis for setting monetary penalty amounts.

* Outline the responsibilities of covered entities during complaint investigations and compliance reviews.

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access