Sizing Up the HIPAA Revamp
So what do you think? We'd like to hear from you.
The Health Information Technology for Economic and Clinical Health Act, more commonly known as the HITECH Act, mandated that regulators prepare the HIPAA updates by Feb. 19. The Department of Health and Human Services' Office for Civil Rights was tardy in unveiling its proposal, which was released July 8. But that's somewhat understandable, given the complexity of the 234-page document, which also had to be reviewed by the Office of Management and Budget.
If you have strong feelings about items in the proposal that need refinement, or subjects that were overlooked, you owe it to yourself to submit a comment to federal regulators.
By more clearly spelling out the responsibilities of "covered entities," such as hospitals, clinics and insurers, as well as their business associates, the proposal would take some of the guesswork out of HIPAA compliance.
In a particularly welcome move, the proposal would expand the definition of business associates to include personal health records vendors, health information exchanges and patient safety organizations. This would help ensure patient information is protected no matter where it travels.
But a PHR vendor would not be considered a business associate unless it had a contract with a covered entity to offer a PHR to patients as part of the covered entity's electronic health record. Thus, the rule apparently does not address PHRs offered directly to consumers by Microsoft, Google and others.
Meanwhile, some consumer advocates are happy that the proposal clearly spells out that patients have a right to receive an electronic copy of their records and to, in some cases, restrict how their information can be used.
Within the pages of its voluminous proposal, the Office for Civil Rights solicits comments on specific issues, such as using patient information for research. And the proposal makes it clear that the final version likely will include many revisions, based on the feedback received.
So if you have strong feelings about items in the proposal that need refinement, or subjects that were overlooked, you owe it to yourself to submit a comment to federal regulators.
In the meantime, we encourage you to use HealthcareInfoSecurity.com to start a dialogue with your peers. You can submit your comments in the space directly below this blog.
Do you think the proposed HIPAA revamp is a major step forward in protecting patients' privacy rights?
Will compliance with the proposed revisions be onerous for your organization? What will be the biggest challenges?
Let us know what you think.
Federal regulators still have a lot of work to do in developing other privacy and security rules. Perhaps the toughest task will be devising a practical way to enable patients to obtain an accounting of everyone who has viewed their records, as mandated in the HITECH Act.
But keep this in mind: If patients don't trust that their electronic records will remain private, and that only those who have a legitimate reason to view their information can access it, the consequences could be dire. The effort to bring healthcare's use of information technology up to speed with other industries could fail. And we can't afford to let that happen because IT holds such great promise for improving the quality of care.