New HITECH-driven privacy rules forthcoming from HHS

The Department of Health and Human Services announced its plans to propose a new set of rules strengthening privacy and security of personal health information protected. The rules will implement various provisions of the Health Information Technology for Clinical and Economic Health (HITECH) Act, which served to augment protections originally established under HIPAA. The forthcoming rules will make explicit several of the changes in the privacy portion of the HITECH Act (Subtitle D, §§ 13400-13410). The public notice announcing the intent to issue rules gives no details on what specific aspects of the law the rules will address, but based on a short note posted by HHS, the current focus seems to be on business associate liability for complying with HIPAA Privacy and Security Rule requirements; limits on the sale of protected health information; improve right of access by individuals to their health data; and new restrictions on personal data disclosure. Rules have already been released related to some of the other privacy provisions in this same section of the law, covering health data breach notification and stronger enforcement of HIPAA Privacy Rule violations, including a private right of action for individuals. The legal actions initiated against by the Connecticut Attorney General against HealthNet after its data breach were made possible by the enforcement rules. Looking at the text of the law in these areas, the new rules appear likely to cover the following:

• The change in liability for business associates (§13401), which under HIPAA had no direct accountability for violations of the Privacy or Security rules (instead, the covered entity with which the business associate had a contractual agreement was liable for its business associates’ violations). Now business associates are directly accountable for violations, including being subject to the civil and criminal penalties for violations that were also strengthened in HITECH.
• Restrictions on the sale of protected health information, without explicit consent by the individual, subject to several exceptions (§13405(d)), notably including purposes of public health, research, treatment, health care operations, or situations such as providing an individual with a copy of his or her record (yes, they can charge you for that) or moving data between covered entities and business associates doing processing on behalf of the entity.
• The requirement that individual be able to get a copy of whatever data a covered entity has stored electronically about the individual, and/or to direct that information to a designated entity (like a new doctor). (§13405(e)) This one might seem counter-intuitive, as most people believe that they own their own health record data, but that’s just a privacy principle, not a legal right. This provision in HITECH doesn’t resolve the data ownership question, but it does give you the right to request your data, and obligates the entity to give it to you; it also says any fee you are charged can’t be more than the entity’s labor cost to give the record to you.
• New rules limiting the amount of data disclosed about an individual. (§13405(a)) This provision in the law has a couple of different aspects. First, there is a rule that says if you ask a covered entity (say, your doctor) not to disclose your personal health information, and you pay out of pocket for the services you receive from the entity, then the entity has to comply with your request not to disclose the data, unless the request to disclose is for treatment. Under HIPAA, disclosure for treatment, payment, or for the somewhat-vaguely-defined “health care operations” did not require the entity to get your consent or even to comply with your wishes about disclosure if you had expressed them. This rule changes that, except in cases of treatment. This section of the law also obligates an entity that disclosed protected health information to the minimum necessary for the purpose for which the data was requested. This means for example that someone should not disclose your whole medical record to someone asking for information about payment for a specific service you received. This part of the rules will be interesting to see because the determination of “minimum necessary” is left up to the entity doing the disclosing, and there really are no standards or guidelines on what the minimum data is for any of the anticipated purposes for use in health information exchange.