The U.S. Department of Health and Human Services (HHS) has proposed modifications to the 1996 HIPAA privacy and security rules to incorporate changes Congress included in the 2009 federal economic stimulus package. The draft rule would allow patients to restrict certain disclosures to health plans and prohibit personal information from being sold without their consent.
The rule also proposes treating billing companies, customer service contractors and other businesses the same as physicians, hospitals and insurers, which would subject them to fines and penalties if they violate privacy regulations. Earlier this year, HHS significantly increased the maximum penalty for HIPAA violations, to $50,000 per violation and $1.5 million annually.
The proposed rule would also:
- Grant individuals greater access to their personal data;
- Limit certain personal information disclosures to health plans; and
- Strengthen the federal Office for Civil Rights’ regulatory power over HIPAA’s privacy and security provisions
The proposed changes were mandated by the HITECH Act, which was included in the economic stimulus package and designed to encourage hospitals and physicians to adopt electronic health records. The draft rule is open for public comment for 60 days, beginning July 14. Instructions for submitting comments are included as part of the proposed rule.