Privacy & Information Security Law Blog

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

Some of the major changes to the HIPAA Rules include:

• Adding “subcontractors” to the definition of “business associate” to provide that subcontractors that perform functions for or provide services to a business associate are also business associates to the extent they require access to protected health information (“PHI”);
• Requiring business associates to enter into written contracts with those subcontractors (previously, business associates were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI);
• Applying the Security Rule and the Enforcement Rule penalty provisions directly to business associates;
• Revising the definition of “marketing” in the Privacy Rule to delineate which specific activities constitute marketing of PHI;
• Clarifying that a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the minimum necessary standard, where appropriate; and
• Requiring covered entities to obtain an authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities).

HHS will be accepting comments to the notice of proposed rulemaking for a period of 60 days after the notice of proposed rulemaking is published in the Federal Register on July 14, 2010.

In addition to the changes to the HIPAA Rules, HHS announced a new privacy website designed to “provide further confidence in the expectations Americans have for the privacy of their personal information” and to “inspire added trust in HHS’ efforts to improve our nation’s health through safe and secure health information exchanges.”  HHS also announced enhancements to its breach notification website that will provide consumers with more information regarding breaches involving PHI and ongoing breach investigations.  Currently, the HHS breach notification website lists only basic details about breaches, such as the name of the covered entity at issue and the number of individuals affected by the relevant breach.