The U.S. Department of Health and Human Services ("HHS") issued new proposed rules to modify and strengthen the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and enforcement rules and implement new requirements for business associates of HIPAA-covered entities. The purpose of the new rules is to implement recent statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA rules.
The compliance date will generally be 180 days after final rules are published, although some provisions may have different compliance dates. The proposed rules would:
expand individuals' rights to access their health information and restrict certain types of disclosures of protected health information (PHI) to health plans
require business associates of HIPAA-covered entities to be under most of the same rules as covered entities
set new limitations on the use and disclosure of PHI for marketing and fundraising
prohibit the sale of PHI without participant authorization
According to an HHS press release, entities that are not covered by the HIPAA rules will also be examined more closely to understand better how they handle PHI and to determine whether additional privacy and security protections are needed for these entities.
A recently launched HHS privacy website helps visitors easily access information about existing HHS privacy efforts and the policies supporting them.
As new information is issued on health reform, Conner Strong will issue alerts and updates. Should you have any questions, please contact your Conner Strong representative toll-free at 1-877-861-3220.