The U.S. Department of Health and Human Services (HHS) has proposed a new federal healthcare information privacy rule that would let patients restrict access to certain health information and ban the sale of patient data without consent.
The proposed plan to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was announced today by David Blumenthal , head of the Office of the National Coordinator (ONC) for Health Information Technology, and Georgina Verdugo, director of the Office for Civil Rights (OCR).
Blumenthal said during a press conference that the ONC is also working with White House Cyber Security Chief Howard Schmidt on a government-wide private security initiative that will prioritize health care for security improvement with respect to cyber-information.
We want to take full advantage of & what's known within the federal government about protection and security of information, Blumenthal said. Meaningful use & will be defined in regulation very shortly [and] will have related obligations for providers of care in terms of how they maintain the security of the health information that they collect electronically.
In addition to boosting patient rights, the proposal would extend certain privacy and security rule requirements to business associates of organizations already covered by HIPAA rules, and establish new limitations on the use of protected health information for marketing and fundraising purposes.
The new rules proposition will enter a 60-day comment period beginning July 14. Information on how to post comments about the proposal will be available at http://www.regulations.gov.
Verdugo said the new rules would strengthen and expand OCR's ability to enforce HIPAA's Privacy and Security provisions, which is particularly important in light of ongoing efforts to push the adoption of electronic health records (EHRs).
"As we enter in to a new age of electronic health information exchange [it] is more important than ever to ensure greater consumer confidence in the privacy and security of their health information and the industry's use of new technology," she said.
Bill Fawns, director of IT services for the County of Kern, Calif. and interim CIO at the Kern Medical Center in Bakersfield, said current HIPAA rules are adequate and there is no need for additional regulation.
"To be candid, I think there are plenty of rules in place," he said. "In fact, we're constantly meeting with our compliance officer to make sure we're complying with all the regulations. It's hard for me to imagine the sale of patient medical information that isn't de-identified. If it's de-identified, what loss is there to have it out there?"
"And if they're selling patient information that isn't de-identified, then they must have found a loophole in laws that we haven't seen," he added.
The proposed rules would also expand a person's rights to access their information, restrict certain disclosures of protected health information to health plans, and establish new limitations on the use and disclosure of protected health information.
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian, send e-mail to lmearian@computerworld.com or subscribe to Lucas's RSS feed .