On July 14, 2010, the Federal Register published the “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act – Proposed Rules.”  Comments related to the Proposed Rule are due on September 13, 2010 and can be submitted and accessed at www.regulations.gov.

“The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.” – HHS

Key provisions of the Proposed Rule regarding Business Associates include:

  • Allowance of additional time to revise Business Associate agreements to bring them into compliance with the HITECH Act, including continued operation under the existing Business Associate agreements for up to one year beyond the compliance date.
  • Subcontractors of Business Associates will be required to enter into business associate agreements with the Business Associate.  Business Associate aware of noncompliance by a subcontractor is required to respond by curing the noncompliance (breach) or terminating the agreement.
  • Business Associates subject to potential civil and criminal penalties.

Key provisions of the Proposed Rule regarding HIPAA include:

  • Many provisions of the HITECH Act took effect on February 18, 2010, however OCR intends to allow 180 days after the final rules come into effect for entities to come into compliance.
  • Authorization requirements for disclosures of PHI in exchange for remuneration.
  • Update to the  marketing rules.
  • Restrictions on disclosures to health plans if the patient pays out-of-pocket.
  • Patient rights to receive electronic copies of their PHI.
  • Updates to the Notice of Privacy Practices.

To read more about the Proposed Rule click here.

If you have questions regarding the Proposed Rule or if you need assistance in drafting a comment please contact Elana Zana.