The Impact of New HHS Rules for Health Information Privacy and Security

Michael Bilancieri

February 3, 2012

The U.S. Department of Health and Human Services (HHS) recently announced new rules surrounding health information privacy and data security that is important for everyone involved in healthcare IT (HIT) to understand.

By now, you’ve likely seen these rules, however the Healthcare IT Consultant blog has a nice synopsis of the news that drills down into the aspects most relevant for those in the Imprivata community. Pulling the key points from that blog and summarizing the primary requirements of the rules, here are some things to consider:

  • Expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.

As was confirmed at the HIT Policy Committee Technology Hearing a couple of weeks ago, the ability for patients to actually restrict disclosure of their PHI is not readily available. While patients can fill out paper forms at the doctor’s office as to the HIPAA compliance regulations, this doesn’t necessarily do anything to actually restrict disclosure of their data. These new HHS rules should instigate a wave of innovation, process overhaul and investment in new technologies to help the healthcare industry achieve this directive to empower individuals with greater rights and controls of their own personal health information (PHI).

However, there is still tremendous work to do to, and until that happens, it’s crucial for hospitals to instill safeguards to ensure only appropriate access to PHI by authorized personnel, and to eliminate any potential misuse of PHI. In addition, until total privacy can be ensured, hospitals need to actively monitor and track PHI access and take appropriate actions, including being diligent about alerting patients when their PHI has been exposed in a security breach, or even potentially exposed, or face the penalties enforced by the HITECH Act.

  • Requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;

This mandate provides additional levels of protection to PHI beyond just the main healthcare entity, ensuring that PHI that is needed by business associates carries the same protections and requirements as for the main entity. The true value of PHI lives not in its siloed containment, but in its appropriate, approved sharing with doctors and other entities to help best serve the patient. Strengthening the rules by forcing business associates to adhere to the same policies is a logical step to securing PHI and the integrity of the entire healthcare ecosystem. In conjunction with this, proactively monitoring direct and indirect business associates activities related to PHI allows privacy officers to easily and efficiently monitor and take action on suspect activities. These protections should follow PHI wherever it may be used.

  • Setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • Prohibiting the sale of protected health information without patient authorization.

These are both very interesting, and often overlooked. These restrictions are absolutely critical in limiting the abuse and misuse of PHI as there is money to be made here – otherwise why would entities not use/sell PHI without regard for the patient? This is a valuable aspect of PHI, and limitations of use in this manner will have serious ripple effects that our industry is only now beginning to understand.

What are your thoughts on these new rules? How do they impact your organization?

-Michael