Along with death and taxes, there’s another guarantee in life: the Federal Government will make changes to the HIPAA regulations.
Joseph Goedert, of Health Data Management published today details of changes that are schedule to occur in May which will modify the HIPAA privacy and security rules mandated under the HITECH Act.
This shouldn’t be a surprise to anyone, as both HIPAA and HITECH Acts came out and made grand statements of expectation, but gave no real details.
It should be noted that, while the Fed’s are good at making deadlines for themselves, they don’t always meet those deadlines.
For instance, HHS missed a HITECH-imposed February 2010 deadline to issue a number of proposed rules that would:
- Clarify that certain entities are business associates and extend certain privacy and security rule provisions to business associates;
- Modify privacy rule provisions regarding the right to request restrictions, minimum necessary, access, marketing and fundraising;
- Modify the HIPAA enforcement rule to implement revised and enhanced penalties for privacy rule violations.
Other regulations with HITECH-imposed deadlines of June or August that may or may not be in the rule expected in May include:
- Modify the privacy rule’s accounting of disclosures provisions;
- Improve enforcement of the privacy rule, including enhanced penalties for serious violations; and
- Modify the privacy rule to generally prohibit exchanging health information for remuneration without individual authorization.
HITECH also mandates HHS during 2010 to issue a series of guidance documents, several of which had a missed February deadline, covering the privacy and security of health information. The guidance covers:
- Technical safeguards to carry out security;
- Privacy rule requirements for de-identification of protected health information;
- The privacy rule’s definition of “psychotherapy notes” with regard to including certain test data and mental health evaluations; and
- What constitutes “minimum necessary” for purposes of the privacy rule, such as disclosures of protected health information.
As rules are added, changed or updated, we’ll keep you posted.