Rules of Spring
Reviewing the Upcoming Regulations on
HIPAA Privacy Rule Modi;cations
By Kevin Heubusch
THE AMERICAN RECOVERY and Reinvestment Act came out with a bang in February 2009. ;e rules enacting its privacy and security provisions, however, have trickled out over the subse- quent two years. Many of the provisions have the potential for signi;cant impact on HIM operations, and the slow pace of the rulemaking process has drawn out the industry’s uncertainty and, to some degree, apprehension. ;is spring should resolve some of the uncertainty, if not the apprehension. It is expected that the rules will begin ;owing again, perhaps even by the time this issue has been printed. Many of the provisions will have ;nal rules and compliance dates behind them; others will be addressed in proposed rulemaking that o;ers the industry a ;rst look at intended regulations and a chance for comment before proceeding further.
Expanded Access and Restrictions
Covered entities got their ;rst look at a draft rule enacting the
majority of the access and restriction modi;cations last summer. ;ings have been quiet ever since.
;e O;ce for Civil Rights (OCR) published a notice of proposed rulemaking, or NPRM, in July 2010 titled “Modi;cations
to the HIPAA Privacy, Security, and Enforcement Rules.” ;e
rule drafted regulations for HITECH provisions that:
; Require covered entities that maintain EHRs to provide
individuals with copies of their protected health infor-
An Accounting of Accounting of Disclosure. An interview with AHIMA
practice resources manager Diana Warner on AoD under HIPAA and HITECH.
Click for Audio
mation in electronic format upon request or transmit the
copy directly to an entity or person as directed
; Extend to business associates the same requirements and
penalties as covered entities under HIPAA
; Convey business associate status to emerging entities
such as health information exchanges and personal
health record operators
; Extend a consumer’s right to request restrictions on disclosure to health plans under certain conditions (e.g., the
item or service has been paid out of pocket in full)
; Increase requirements and restrictions related to marketing and fund raising, such as prohibiting certain written
; Prohibit the sale of an individual’s protected health infor-
mation unless covered by a valid authorization or limited
HITECH also requires the Department of Health and Human
Services to provide guidance on what constitutes “minimum
necessary” under HIPAA in an e;ort to clarify a data holder’s
responsibilities in releasing requested information. ;e NPRM
asked for comments on what type of guidance would be helpful.