The proposed rules, released July 8, 2010, would:
- Expand individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans
- Require business associates of HIPAA-covered entities to be under most of the same rules as the covered entities
- Set new limitations on the use and disclosure of protected health information for marketing and fundraising
- Prohibit the sale of protected health information without patient authorization.
Although the new rules will mainly affect how health care providers and insurance companies conduct their business, HR professionals can expect to get questions from employees concerned about the privacy of the information insurance carriers may have access to.
Some definitions of HIPAA terms:
- Covered entities — health care providers and institutions (such as clinics and hospitals), as well as health insurance companies.
- Business associates — third-party administrators of health and pharmacy benefits, claims processors, billing companies, medical transcribers and others who deal with covered entities.
What it means for HR: For the most part, it will be up to your insurance carrier to ensure that its business associates comply with the proposed rules. However, as part of your due diligence, you should make sure your carrier has plans in place to monitor and enforce business associate compliance.
Technically, the proposed rules add enforcement muscle and privacy guidance to the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act stimulus law. HITECH was designed to encourage better health care delivery by collecting data on which clinical practices produce the best health outcomes.
The new HHS HIPAA rules address privacy concerns voiced by many opponents of the stimulus law and the health care reform law that went into effect earlier this year.
Following a 60-day comment period, the proposed rules will take effect in September.