On July 8, the Department of Health and Human Services (HHS) released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed ‘significant’ modifications include:
- A requirement that BAs of HIPAA-covered entities be under most of the same rules as the covered entities
- New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
- Prohibition of the sale of PHI without an authorization
- Expansion of individuals’ rights to access their information and to restrict certain types of disclosures of PHI to health plans
- Provisions that strengthen and expand HIPAA’s enforcement rule
HHS will receive comments for up to 60 days after the proposed rule’s July 14 publication in the Federal Register, after which it will release an interim final rule. According to HHS, it will give covered entities and BAs 180 days after the final rule becomes effective to comply with most of the provisions.