As called for under the HITECH Act, the Health & Human Services Department plans to release in May a proposed rule that strengthens existing privacy, security and enforcement requirements for organizations that handle patients' health information.
The rule also toughens related provisions in the Health Insurance Portability and Accountability Act (HIPAA) as the adoption of electronic health records and health information exchange expands the the number of organizations that may have access to personal data.
The proposed rule focuses on the liability of business associates of healthcare providers and plans; new limitations on the sale of protected health information; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information, HHS has said.
HHS published the May timeframe in its inventory of regulations in the April 26 Federal Register http://edocket.access.gpo.gov/2010/2010-8934.htm but did not offer any other details.
Although the HITECH Act had called for the more robust protections to be effective in February, the proposed rule from HHS' Office of Civil Rights, which oversees health information privacy, will identify the expected date of compliance and enforcement of the new requirements.
Other HITECH privacy and security provisions have already taken effect, including for notification of a breach of personal health information to the individual, and in some cases to HHS, and stiffer fines for HIPAA privacy and security violations.
More information can be viewed here.
