HHS Releases Proposed Changes to HIPAA Privacy, Security, and Enforcement Rules

Published On: Jul. 09, 2010

Last Updated: Oct. 05, 2020

On July 8, 2010, HHS released a Notice of Proposed Rulemaking (“NPRM”) which includes proposed changes to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules to implement statutory changes in the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).   If implemented, the proposed changes would:

  • Expand individuals’ rights to access their health information and to restrict certain disclosures of protected health information (“PHI”) to health plans;
  • Expand the definition of “business associate” to include health information organizations, e-prescribing gateways, PHR vendors, and subcontractors that receive, maintain, or transmit PHI on business associates’ behalf;
  • Make the HIPAA Security Rule directly applicable to business associates;
  • Allow HHS to pursue enforcement actions directly against business associates;
  • Implement new limits on the use and disclosure of PHI for marketing and fundraising; and
  • Prohibit the sale of an individual’s PHI without the individual’s authorization.

Copies of the press release and the NPRM can be found here.  The 60-day comment period will officially begin on July 14, 2010.

In conjunction with the release of the NPRM, HHS also launched a new privacy website with information about HHS privacy policies and initiatives.