The Department of Health and Human Services (HHS) issued a notice of proposed rule making to implement HITECH Act modifications. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires HHS to modify the Health Insurance Portability and Accountability Act (HIPAA) privacy, security and enforcement rules to strengthen the privacy and security protections for health information.
Some highlights of the proposed modifications to the HIPAA rules include:
Story Continues Below Advertisement
KenQuest provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
--A proposal to make clear that the security provisions also apply to business associates. Business associates can include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies and persons who perform legal, actuarial, accounting, management or administrative services for covered entities and require access to protected health information.
--In addition, HHS proposes to modify the definition of "business associate" to explicitly designate a health information exchange organization, e-prescribing gateway, or regional health information organization as business associates. HHS also proposes to amend the definition of "business associate" to include subcontractors. HHS also proposes to add patient safety activities to the list of functions and activities give rise to a business associate relationship.
--The proposals establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes. HHS proposes to maintain the general definition of marketing as "making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." HHS wants to propose to include three exceptions to the definition.
The first exception would be a health care operations communication, such as one describing a health-related product or service that is provided by the covered entity making the communication. The second exception would be for communications regarding refill reminders currently being prescribed for the individual. The third exception would be communications about health-related products or services by a health care provider to an individual.
--HHS is also proposing to require a covered entity to obtain an authorization for any disclosure of protected health information in exchange for direct or indirect remuneration. The authorization must state that the disclosure will result in remuneration to the covered entity.