More healthcare-related entities should fall under the scope of the HIPAA privacy rule and soon, according to a U.S. Department of Health and Human Services (HHS) advisory body.

“HHS and Congress should move expeditiously to establish laws and regulations that will ensure that all entities that create, compile, store, transmit, or use personally identifiable health information are covered by a federal privacy law,” according to a recent letter the National Committee on Vital and Health Statistics (NCVHS) sent to HHS Secretary Michael Leavitt. “This is necessary to assure the public that the Nationwide Health Information Network, and all of its components, are deserving of their trust.”

The letter reiterates a year-old recommendation the committee made to Leavitt to expand the types of entities covered under the privacy rule. The committee held three hearings during the past year to get more information about entities that use health information in their day-to-day operations but are not covered by the privacy rule. The hearings reinforced committee members’ convictions that expansion of the rule was necessary, according to the letter.

“A significant concern is that many of the new entities essential to the operation of the Nationwide Health Information Network fall outside HIPAA’s statutory definition of ‘covered entity,’” according to the new letter. “Health information exchanges, regional health information organizations, record locator services, community access services, system integrators, medical records banks and other new entities established to manage health information have proliferated in recent years.”

NCVHS also sent Leavitt a letter reiterating an earlier recommendation that federal officials improve coordination between the HIPAA privacy rule and the Family Educational Rights and Privacy Act, which governs school medical records.