HHS proposes new privacy, security rules

By Diana Manos
02:56 PM

Department of Health and Human Services Secretary KathleenSebelius announced Thursday new proposed privacy and security rules and resources. She said they would strengthen the privacy of health information and help all Americans understand their rights and the resources available to safeguard their personal health data.

Sebelius said the rules are part of an effort led by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) to ensure Americans trust personal health data exchange.

"While health information technology will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work," Sebelius said. "To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers."

The proposed rules come as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to ensure broader individual rights and stronger protections when third parties handle individually identifiable health information, Sebelius said.

Rita Bowen, president of the American Health Information Management Association board of directors congratulated HHS for the proposed rules.

"This is important as our nation works to improve the health of individuals by having accurate health information available where and when it is needed to treat patients," Bowen said. "For decades, health information management professionals have been the custodians of individual health information within healthcare organizations and AHIMA looks forward to adding our expertise to the rulemaking process in order to ensure confidentially and privacy are maintained." 

According to Sebelius, the proposed rules would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

  • expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • prohibiting the sale of protected health information without patient authorization.

HHS officials said they are also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information, and to determine whether additional privacy and security protections are needed for these entities.

"Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said David Blumenthal, MD, HHS’s national coordinator for health information technology. "Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount."

HHS will take comments on the proposed rule for 60 days after it is published in the Federal Register.

HHS also launched a privacy Web site Thursday at http://www.hhs.gov/healthprivacy.html to help visitors easily access information about existing HHS privacy efforts and the policies supporting them.

HHS's Thursday announcements follow the recent appointment of a new ONC Chief Privacy Officer, Joy Pritts.