On Thursday, July 8, 2010, the United States Department of Health & Human Services (HHS) held a press briefing to announce “significant modifications” through proposed rulemaking to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The proposed modifications also seek to strengthen the privacy of health information and help Americans understand their rights and resources available to safeguard their personal health information. As part of the latter effort, Sebelius announced the launch of another new website “where Americans can read about all HHS’ efforts to protect privacy in the exchange of electronic health information and that will give Americans the tools needed to embrace technology to take control over their health information.” The website will be available at www.hhs.gov/healthprivacy.

HHS Secretary Sebelius noted that it’s hard for patients to keep track of their own medical history and communicate needed information to their physician. If doctors do not have the right information at the right time to make the right decision about care, the patient may not get appropriate care. A key step in getting timely information to physicians is to empower patients to control their own healthcare information. But, as Sebelius noted, it’s also critical for Americans to know that such information will be private and secure. Sebelius observed that the Notice of Proposed Rule Making (NPRM) represents “the most sweeping improvements to HIPAA privacy and security standards since they went into effect in 2003.” Sebelius added that today’s announcements “are part of a broader, administrative commitment to make sure that no one has access to your personal health records that you don’t want to have access.”

Georgina Verdugo, Director of HHS Office of Civil Rights (OCR) stated, “Our nation has embarked on an historic effort to transform our health delivery system and it’s more important than ever to assure privacy and security of electronic health information.” She stated that the NPRM reinforces and expands OCR’s enforcement efforts by requiring Business Associates (BAs) of Covered Entities (CEs) to have the same liabilities as CEs, to make BAs subject to most of the same privacy and security requirements and prohibitions on marketing as CEs, prohibiting the sale of protected health information, and expanding the rights of Americans to protect their health information. Health Information Exchanges (HIEs), Regional Health Information Organizations (RHIOs), e-prescribing Gateways, and vendors of CEs who offer personal health records will be treated as BAs and required to enter into Business Associate Agreements. BAs will be required to notify OCR of a breach and the HHS Secretary will be required to post those breaches publicly. “As we move forward with meaningful use of electronic health information, the benefits of HIT can only be fully realized if Americans can expect their health information will be kept private at all times.”

Dr. Blumenthal, the National Coordinator for HIT, then highlighted the several activities by HHS intended to bolster privacy and security of electronic health records. In introducing these efforts, Dr. Blumenthal noted that the proposed rulemaking is derived from the mandate by Congress to create a nationwide, interoperable, private and secure, network of electronic health information. He stated, “Today we make real the phrase “private and secure” for this ambitious project of electronic health record implementation in the United States, through a serious of additional activities designed to protect privacy and security of electronic health information.” He then outlined the efforts as follows:

 Hiring Joy Pritts, as Chief Privacy Officer, who will manage the “Tiger Team,” a subcommittee of the federal HIT advisory committee tasked with examining privacy and security policies needed to assure that health information is secure in the United States. The Tiger Team recently held a hearing on June 29, 2010 to discuss how health information is used and distributed through electronic health information technologies. Dr. Blumenthal noted that there “are lots of electronic health information technologies out there and we need to understand them better.” The Tiger Team is focused on doing that.

 The new HHS HIT infrastructure also will include Regional Extension Centers (RECs) to provide advice to providers, localities and state governments, on how to protect privacy and security of electronic health information. Part of the training will include education on how to do that.

 HHS is working with Howard Schmidt, the Cyber-Security Coordinator under the Obama administration, on a government-wide privacy and security initiative with respect to the privacy and security of health information in cyberspace.

 “Meaningful use,” which is part of the HITECH Act’s electronic health record incentive criteria, will have related obligations for providers on how they must maintain the security of the electronic health information they collect. Blumenthal indicated that “meaningful use” would be defined in a regulation “very shortly.”

 HHS will hold “listening sessions” around the country, listening to consumers, ensuring that whatever we develop has the support of the American people.

Blumenthal emphasized the government’s continuing commitment to ensure that the American people trust the electronic health information system so that their health information is where it is needed at the time they need it.

In response to questions, Sebelius stated that this NPRM does not address the Proposed Breach Notification Rule that went into effect in August 2009. The modified “accounting for disclosures” requirement under HITECH also is not part of this NPRM because HHS has to follow the issuance of standards from Dr. Blumenthal’s office in regard to that issue. Sebelius stated, “We did issue a request for information with respect to accounting for disclosures and we are considering those comments now in how we move forward with accounting for disclosures in an NPRM.” Sebelius stated that “accounting for disclosures” will be clarified through a separate NPRM.

To read the the proposed “privacy and security” rulemaking, click here.  The proposed rule was published in the Federal Register on July 14, 2010.