On July 8, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued its long awaited (and for some, dreaded) proposed changes to HIPAA. While several of the changes are merely ‘procedural’, I find that there are significant changes to certain sections – with some loopholes closed.
I listed below these changes that are not merely procedural, and included my thoughts as to their meaning. As always, I am available to consult – and repeat: “I am not an attorney”.
- The first major change is to Subpart A—General Provisions, Section 160.103—Definitions. OCR proposes a change whose purpose is to close the loopholes around the definitions of a ‘business associate’. This is significant, because until now the assumption in some circles was that subcontractors were exempt for many HIPAA provisions. Of course, that lead to some organizations creating their own ‘subcontractors’ for purposes of sheltering from the regulations.
Medical Error Finders
- Another change suggested is the inclusion of Patient Safety Organizations. These organizations, from their very essence, must handle PHI and thus already should have been included. OCR is requesting specific inclusion of these organizations, or, in their words: “to more clearly align the HIPAA and Patient Safety Rules.”
- The next change relates to the request to specifically include Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records. Again, OCR notes that HITECH (Section 13408) includes these types, but is asking for specific, explicit, inclusion
I see dead people
- The next change requests a declaration that a person’s health records are no longer covered under the Acts if fifty (50) years or more have passed since his death. That is an interesting change, and I wonder what prompted it.
What is a State?
- This change notes that the US Virgin Islands and American Samoa were left out (by error?) from the original bill and asking for the correction to include these territories.
- With regard to Subpart C—Compliance and Investigations, Section 160.310—Responsibilities of covered entities, the proposed changes would have large PRIVACY impact. Currently the HIPAA law only allows the secretary of HHS to disclose PHI under very limited guidelines. Under the proposed change, to which I am adamantly opposed, the Secretary will now be allowed to share Personal HEALTH data with many other agencies (imagine the IRS knowing which hospital you are in and why).
More to come in the next blog entry.
You can find the proposed changes to HIPAA and HITECH also here (PDF)