New HIPAA rules need more clarification

Tools

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they've filed in response to the changes HHS proposed in July.

The American Health Information Management Association wants the HHS Office for Civil Rights to add some detail to the stewardship role providers must play in determining the "minimum necessary" use and disclosure of patient-specific protected health information, Health Data Management reports. Specifically, AHIMA wonders whether one alternative in a forthcoming final rule on HIPAA attachment standards would effectively force providers to violate the "minimum necessary" standard.

OCR should "include a prohibition on health plan access to an individual's PHI under guardianship of a healthcare provider," AHIMA writes in its comments.

Similarly, the Healthcare Information and Management Systems Society would like OCR to provide some guidance on the "minimum necessary standard." HIMSS also wonders whether business associate agreements will still be necessary, because the proposed rules would treat business associates as covered entities.

"It is common for healthcare providers, such as a community hospital, to have hundreds of business associate relationships, and large complex academic medical centers can have over 1,000 business associate relationships to manage," HIMSS says in arguing that a such agreements would be unfairly burdensome on its members under the new regulations.

The National Community Pharmacists Association also wants some clarification, particularly over how pharmacists should handle privacy requests from customers who pay cash, since the proposed regulations would allow self-paying patients to ask providers to limit disclosure of some types of data to payers. "In some cases, such action would violate the pharmacy's contract obligations to third-party payers such as pharmacy benefit managers," the NCPA says.

On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel's Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

"We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN," the coalition says in its letter. "The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have 'maximal control over PHI' should be viewed as what is possible now, not 10 years from now."

Meanwhile, consulting firm Computer Sciences Corp. has published a white paper to explain the proposed changes to HIPAA privacy, security and enforcement rules called for by the American Recovery and Reinvestment Act.

For more information:
- see this Health Data Management story about AHIMA's comments
- read the AHIMA letter (.pdf)
- take a look at this HDM story about the NCPA's comments
- and here is the actual NCPA letter (.pdf)
- read what HIMSS has to say about the HHS proposal (.pdf)
- take a look at these comments from the Coalition for Patient Privacy (.pdf)
- download the CSC report

Related Articles:
HHS proposes stronger privacy protections under HIPAA
SPOTLIGHT: ONC to seek feedback on NHIN Exchange governance structure
OCR stepping up HIPAA privacy, security enforcement