On July 8, HHS released the Notice of Proposed Rulemaking on HIPAA Privacy, Security, and Enforcement. It will be published in the Federal Register on July 14.
What are the key points of these proposed HITECH HIPAA Modifications?
1. The rule updates the definition of Business Associates to include health information organizations, eRx gateways or other entities that provide protected health information transmission services to a covered entity and require access on a routine basis to such information. It also includes any Personal Health Record vendor acting on behalf of a covered entity. Note that Google and Microsoft act on behalf of the patient, not the covered entity, so this proposed rule does not change the status of Google Health or Microsoft HealthVault as they are currently structured. Finally, the rule also includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a Business Associate.
2. It stipulates that Business Associates must comply with all requirements of the HIPAA Security Rule. They may use or disclose protected health information as permitted by a business associate agreement or required by law. They may not use or disclose information in violation of the HIPAA Privacy Rule. They must provide electronic access to data to the covered entity, individual, or individual’s designee.
3. Business associates must enter into formal business associate agreements with subcontractors (subBAs). They must take corrective action if they learn of subBA noncompliance. They are liable for violations by subBAs (assuming that subBAs are acting within the scope of their agreement)
4. Covered entities and their business associates must obtain authorization for the sale of protected health information (even if use/disclosure is otherwise permissible), except:
Public health, treatment, payment, sale of Covered Entity/Business Associate activities on behalf of the Covered Entity, to an individual, required by law, or if remuneration is reasonable, cost-based fee to cover the cost of preparation/transmittal (includes research).
5. Covered Entities and their Business Associates must provide access in the electronic form and format requested if readily producible, otherwise in a readable electronic form and format as agreed to by the Covered Entity and individual (such as a PDF). They must provide an electronic copy to designee, if the request is in writing and clearly identifies designee and where to send the copy. They may charge for labor and media (if the copy is provided on physical media).
6. Covered Entities and their Business Associates must agree to requests to restrict disclosures to health plans if such disclosure is not otherwise required by law and the protected healthcare information relates to services for which individual (or 3rd party other than health plan) has paid the Covered Entity in full.
7. Other areas of proposed rule include
Marketing - does not require authorization if the communication discloses the fact that the covered health care provider is receiving financial remuneration in exchange for making the communication and provides the individual with a clear and conspicuous opportunity to elect not to receive any further such communications.
Fundraising - strengths provisions for patients to opt out of fund raising activities.
Compound research authorizations - allows combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research.
Student immunization records - allows oral agreement of parents to authorize release of immunization data to schools.
Deceased individuals - disclosure requires consent of decendent's personal representative for 50 years following the date of death.
All of these additions are very patient centric and seem reasonable. It will be interesting to see the comments on this NPRM over the next 60 days.
I may be reading this wrong, but it seems like the new definitions of Business Associate would mean this rule places (in some ways) stricter measures on SaaS EHR vendors than traditional ones, considering how many transactions occur "in the cloud" in the former.
ReplyDelete