OCR Releases HITECH Privacy Regulations
The Office for Civil Rights released a notice of proposed rulemaking today on modifications to the HIPAA privacy and security rules mandated in the HITECH Act. The release is a display copy, with official publication in the Federal Register to follow on July 14.
The proposed rule addresses a variety of modifications and additions outlined in subtitle D of the act, which was part of the larger American Recovery and Reinvestment Act:
- Requires covered entities that maintain EHRs to provide individuals with copies of their protected health information in electronic format upon request or transmit the copy directly to an entity or person as directed
- Extends to business associates the same requirements and penalties as covered entities under HIPAA; further, it conveys business associate status to emerging entities such as health information exchanges and personal health record operators
- Extends a consumer’s right to request restrictions on disclosure to health plans under certain conditions
- Increases requirements and restrictions related to marketing and fund raising, such as prohibiting certain written marketing communications
- Prohibits the sale of an individual’s protected health information unless covered by a valid authorization or limited exception
The NPRM does not cover expansion of HIPAA’s accounting of disclosure provision, also called for under HITECH. Rulemaking on this is expected separately. In May OCR published a request for information seeking industry input prior to drafting regulation.
OCR will receive public comment on the NPRM for 60 days following publication.
AHIMA will publish its comments on the rule, and the Journal will follow up with analysis of the individual provisions over the coming days.