A new rule proposed today would add substantial protections to the Health Insurance Portability and Accountability Act (HIPAA) for individuals who want to make sure their personal health information remains private and under their control, something that's considered vital to the eventual success of electronic health record deployments.
Health and Human Services Secretary Kathleen Sebelius acknowledged as much in announcing the rule, saying that, while health IT will help to move the American health system forward, "the privacy and security of personal health data is at the core of all of our work."
The proposed rule, which will be open to a 60-day comment period starting July 14, takes various routes to providing patient control:
The proposal enlarges individuals' rights to access their information and restricts certain types of disclosures of protected information to health plans. And it requires business associates of HIPAA-covered entities to be under most of the same rules as the covered entities.
The rule also sets new limitations on the use and disclosure of protected health information for marketing and fundraising and prohibits the sale of protected health information without the patient's authorization.
In a joint statement, David Blumenthal, the National Coordinator for Health Information Technology, and Georgina Verdugo, director of the HHS Office for Civil Rights, pointed to a number of recent actions their two offices have jointly undertaken that will buttress the new rule, including issuing an interim final privacy breach regulation last year.
Blumenthal's office is developing a final regulation to make sure that EHRs are capable of supporting the new HIPAA security and privacy requirements.
Also, as directed under the HITECH Act, a chief privacy officer role was created at the HHS to provide advice to Blumenthal in developing and implementing the Office of the National Coordinator's privacy and security programs.
Joy Pritts, a Georgetown University professor of health policy, was named to the position in February.
HHS has launched a public Web site that provides resources for those who want to know more about health data privacy and security.
First reactions to the proposal were generally positive. Deborah Peel, founder and chair of the Patient Privacy Rights organization and an often fierce critic of the government's record on privacy rights, said she was impressed with Sibelius's remarks.
"We applaud her for recognizing that HHS should build what the public expects: health IT systems that empower patient control over personal health information," she said.
That's the only route to prevent the waste of billions in stimulus funds for health IT and to prevent the ongoing theft, misuse and sale of that information that's facilitated by the current primitive health IT systems and poorly designed data exchanges, Peel added.
Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society, said, "at first glance," the aspect of the proposal with the most potential impact, "may be the new requirements related to business associate agreements." She said HIMSS would continue to gather input from the healthcare community on the proposal and would provide comments to HHS.
