New proposed rules released on implementing more HITECH provisions

Today the Office of Management and Budget (OMB) announced that it has completed its review of a set of proposed rules on implementing various privacy, security, and enforcement provisions of the the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Office of the National Coordinator (ONC) released a copy of the Notice of Proposed Rulemaking, which will be published in the Federal Register on July 14. As we noted a few months ago when ONC announced its intentions to address additional HITECH provisions, the new proposed rules cover several very different aspects contained in Subtitle D of the law. The current proposed rules do not address some key provisions in the law for which rules have already been finalized, notably including health data breach notification requirements and stiffer civil penalties for violations of the HIPAA Privacy Rule, or provisions about which ONC is still soliciting public input before drafting new rules, such as changes to accounting of disclosure requirements for HIPAA-covered entities. Provisions the current NPRM does address include:

  • Application of HIPAA Security Rule and Privacy Rule provisions directly to business associates, instead of making covered entities responsible for the compliance of their business associates
  • Circumstances under which individuals may request (and providers must honor such requests) that specific protected health information not be disclosed — for instance the law affords such a right when patients pay out-of-pocket for treatment
  • New restrictions on specific uses of personal health information, including for marketing and fundraising, and prohibition on the sale of patient information without prior authorization
  • Requirements that entities disclosing data limit that disclosure to the minimum necessary for the purpose in question; specific standards for minimum data associated with specific purposes are still to be developed
  • Individual rights to receive a copy of whatever information a covered entity has stored about them

The proposed rules are subject to a 60-day comment period, starting from the date of publication (anticipated to be next week), so despite the statutory effectiveness date of February 18, 2010 for most of the HITECH provisions, their formal implementation may not take place before the end of the federal fiscal year in September.