On July 8, 2010, the Department of Health and Human Services (“HHS”) issued new proposals on health privacy to implement the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted as part of federal stimulus legislation in February 2009. The proposed rules would amend the existing Privacy Rule, Security Rule, and Enforcement Rule under the Health Insurance Portability and Accountability (“HIPAA”) Act.  

As mandated by the HITECH Act, the proposals would require business associates of HIPAA-covered entities to comply with most requirements of the Privacy and Security Rules. Notably, HHS further proposes applying the new privacy and security requirements to subcontractors of business associates. The rules would also implement HITECH Act provisions regarding:  

  • New individual rights to access their protected health information and to restrict certain disclosures,  
  • Tighter limits on the use and disclosure of protected health information for marketing and fundraising, and  
  • Restrictions on the sale of protected health information without patient authorization.  

Comments may be submitted until September 13, 2010. HHS has stated that entities will have 180 days after publication of the final rule to come into compliance with the new requirements.  

In conjunction with issuing the proposed rules, HHS also updated its website where notices of large data breaches are published and launched a new webpage designed to help visitors easily access information about HHS privacy efforts.  

On July 13, 2010, HHS also announced final rules that (1) define “meaningful use” of electronic health record (“EHR”) technology for the purpose of receiving federal incentive payments, and (2) identify the criteria for certifying EHR technology.