HHS attempts to strengthen HIPAA privacy rules with new NPRM
“Today, we begin to make real the phrase ‘private and secure’ as operative characteristics of that ambitious project of improving health information in the U.S.,” said David Blumenthal, MD, the national coordinator for health IT during a Thursday press conference concerning the notice of proposed rulemaking published by the Department of Health and Human Services (HHS) in the July 8 edition of the Federal Register to strengthen HIPAA privacy and security rules.

HHS Secretary Kathleen Sebelius addressed the new rules and resources to strengthen the privacy of health information and to help Americans understand their rights and the resources available to safeguard their personal health data.

Led by the Office of the National Coordinator for Health IT and the HHS Office for Civil Rights, HHS is working with public and private partners to ensure that, as health IT is expanded to drive improvements in the quality and effectiveness of the nation’s healthcare system, Americans can trust that their health information is protected and secure, according to the department.

The proposed rule, currently available for public comment, would strengthen and expand HIPAA privacy, security and enforcement rules by:
  • Expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • Requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • Setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • Prohibiting the sale of protected health information without patient authorization.

“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers,” said Sebelius. “While health IT will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work.”

The department also unveiled a privacy website to help visitors access information about ongoing HHS privacy efforts and the policies supporting them.

HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.

To view the proposed rule, click here.