Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted. The propose changes include:
- provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
- establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
- prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans; and
- expanding HIPAA’s enforcement provisions to business associates.
HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).
The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.
We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.