Journal of AHIMA - April 2011

Rules of Spring
Reviewing the Upcoming Regulations on
HIPAA Privacy Rule Modi;cations

By Kevin Heubusch

THE AMERICAN RECOVERY and Reinvestment Act came out with a bang in February 2009. ;e rules enacting its privacy and security provisions, however, have trickled out over the subse- quent two years. Many of the provisions have the potential for signi;cant impact on HIM operations, and the slow pace of the rulemaking process has drawn out the industry’s uncertainty and, to some degree, apprehension. ;is spring should resolve some of the uncertainty, if not the apprehension. It is expected that the rules will begin ;owing again, perhaps even by the time this issue has been printed. Many of the provisions will have ;nal rules and compliance dates behind them; others will be addressed in proposed rulemaking that o;ers the industry a ;rst look at intended regulations and a chance for comment before proceeding further.

Expanded Access and Restrictions

Covered entities got their ;rst look at a draft rule enacting the majority of the access and restriction modi;cations last summer. ;ings have been quiet ever since.

;e O;ce for Civil Rights (OCR) published a notice of proposed rulemaking, or NPRM, in July 2010 titled “Modi;cations to the HIPAA Privacy, Security, and Enforcement Rules.” ;e rule drafted regulations for HITECH provisions that:

; Require covered entities that maintain EHRs to provide individuals with copies of their protected health infor-

An Accounting of Accounting of Disclosure. An interview with AHIMA practice resources manager Diana Warner on AoD under HIPAA and HITECH. Click for Audio

mation in electronic format upon request or transmit the copy directly to an entity or person as directed

; Extend to business associates the same requirements and penalties as covered entities under HIPAA

; Convey business associate status to emerging entities such as health information exchanges and personal health record operators

; Extend a consumer’s right to request restrictions on disclosure to health plans under certain conditions (e.g., the item or service has been paid out of pocket in full)

; Increase requirements and restrictions related to marketing and fund raising, such as prohibiting certain written marketing communications

; Prohibit the sale of an individual’s protected health infor-
mation unless covered by a valid authorization or limited
exception
HITECH also requires the Department of Health and Human
Services to provide guidance on what constitutes “minimum
necessary” under HIPAA in an e;ort to clarify a data holder’s
responsibilities in releasing requested information. ;e NPRM
asked for comments on what type of guidance would be helpful.