The Department of Health and Human Services (HHS) this morning (July 8, 2010) held a press conference to announce a Notice of Proposed Rule Making (NRPM) concerning the privacy, security and enforcement provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

The proposed modifications would extend parts of the HIPAA Privacy Rule and virtually all of the Security Rule to the business associates of HIPAA-covered entities, impose new limits on the use and disclosure of protected health information (PHI) for marketing, prohibit the sale of protected health information without patient consent, expand individuals’ rights to access their information and permit patients to restrict the disclosure of certain information to health plans.  

In addition, the proposed rule will strengthen and expand HIPAA’s enforcement provisions. 

The NPRM is now subject to a 60-day public commentary period before becoming a Final Rule enforceable by the agency.

The modifications to HIPAA follow a strengthening of the act’s provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which elevated business associates to the same direct enforcement status as covered entities. (Business associates often perform the accounting, billing and record-keeping functions of primary health care providers, which are considered covered entities).

The NPRM introduced and entered into the Federal Register today further defines what constitutes a business associate and broadens the category significantly. It also proposes a 180-day grace period for the enforcement of any new HIPAA provisions.

Employers who maintain health insurance and/or health records for their employees will be affected, even if indirectly, by these and subsequent changes to HIPAA. However, you can easily keep abreast of changes and fulfill all compliance requirements with a subscription to Personnel Concepts’ HIPAA Compliance Poster and Newsletter.