The U.S. Department of Health and Human Services (HHS) announced July 8 proposed regulations under the Health Insurance Portability and Accountability Act (HIPAA) that are intended to further strengthen the privacy of personal health information (PHI).

“The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times,” said Georgina Verdugo, HHS Office for Civil Rights (OCR) director at HHS.

Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, the proposed regulations include broader individual rights and stronger protections when third parties handle individually identifiable health information.

The proposed rule seeks to strengthen and expand enforcement of the HIPAA Privacy, Security and Enforcement Rules by:

• expanding individuals’ rights to access their information and restrict certain disclosures of PHI to health plans;
• requiring business associates of HIPAA-covered entities to be under most of the same rules as covered entities;
• setting new limitations on the use and disclosure of PHI for marketing and fundraising; and
• prohibiting the sale of PHI without patient authorization.

To further quell the fears of consumers, HIPAA-covered entities are required to perform regular risk analysis under the Electronic Health Record Incentive Program final rule, released July 13. The OCR issues periodic guidance on the provisions in the HIPAA Security Rule to assist organizations in identifying and implementing safeguards to protect electronic PHI.

Providers and other stakeholders are encouraged to read the proposed rule and offer comments during the 60-day comment period, which officially opened July 14.

HHS says it is also looking more closely at entities that are not covered by HIPAA rules to better understand how they handle PHI and to determine whether additional privacy and security protections are needed for these entities.

4 Responses to “HHS Proposes New HIPAA Privacy Rule Regulations”

1. Stephanie Jones Says:
   July 21st, 2010 at 10:43 am

   I am currently in a struggle with the Privacy Officer at the Lapeer Regional Medical Center, in Lapeer, Michigan. This hospital, after my very strong statement at the time of providing the hospital with my insurance information that covers my step-daughter, whom lives near Lapeer, provided my step-daughter’s mother with my BCN contract number on a statement that was sent to her. Now she is able to get through the BCN automated system at any time, to access my information. I am infuriated that this has happened, yet after one conversation with this man, whom told me he would talk to his biling department & get back to me the same day, has not had the nerve to contact me in over a week now. This hospital is in violation of my HIPPA protection. The step-daugther’s mother does not have a amicable relationship with my husband or I, which is why I refused to provide her with a copy of my insurance card. However she is in fact extremely friendly with my other step-daughter’s mother, and I am sure my contract number has been passed on to her as well.

   Through several hours of phone calls to BCN, I am trying to get a password set up to protect my information whenever anyone calls into BCN & speaks to a customer service representative. However, I have been told this is being reviewed by BCN’s legal department, to see if it is even possible to have this done. They will not guarantee that they can do this. That in itself, seems to be a violation of the HIPPA laws.

   I have given thought to hiring a lawyer, however I am certainly not in a financial position to do so. Coders do not make excellent money in the area I live in, although it is much better than most jobs available in Jackson, Michigan. There has to be consequences to these providers that knowingly provide information to other parties, after specifically being told not to release ANY of my information to ANYONE. I am strongly for tougher HIPPA laws, and consequences when they are broken. These women now have access to all of my information, can pretend to be me, and do whatever they want with my policy. This frightens me daily.

   Thank you for allowing me to post this information on your website. A warning should go out to all those who are in situations like mine, and indeed to everyone. HIPPA states my information is protected…however this certainly does not seem to be true at this time.

   Sincerely,
   Stephanie Jones, CPC

2. Linda Krarup, CPC Says:
   July 21st, 2010 at 11:54 am

   Stephanie,
   I appreciate your post. I have a similar situation with two stepdaughters and, although I haven’t had problems to the extent you have, I have had issues and concerns with not only my information, but my husband’s and our son’s information being accessed by my step-daughters’ mother. Fortunately the insurance companies and facilities that we have had coverage and medical care with have been sensitive to my situation and have had me sign a permission form that I completed that stated what information she has access to and have been able to have notations made in their systems that flag them to clarify specifically to whom they are speaking to before giving any information. I believe that more needs to be done to protect those of us with meddling ex’s and step-children.

3. Tami Says:
   July 26th, 2010 at 12:41 pm

   While working with medical billing I understand the conflict of privacy vs quality service. Sometimes a different perspective can help.

   I am a divorced parent who has paid thousands of dollars in uncovered medical bills due to the fact that I had no access to insurance information from my ex husband. My childrens father would not even provide me with an member id # so claims could be filed. Due to HIPAA regulations the insurance companies also could not release this information. Since he was primary insurance I could not file claims to my insurance with out it first going to his. The solution to my situation was to file a court order allowing my insurnace primary insurance coverage due to the fact I had primary placement of the children.

   Providing the other parent with insurance member numbers is very important. However beyond that, no information should be given to anyone not listed as a parent or legal guardian.

   Side note to Stephanie Jones – Kids are worth any hardship. It’s people who judge you falsely that you need to watch out for.

4. Joan L. North CPC-A Says:
   November 15th, 2010 at 6:13 am

   Recently 25 medical transcriptionist were let go from a local hospital. There jobs were out-sourced to India. I also know of one medical coder who suffered the same fate. Many letters sent to our local paper are very concerned about this sensitive material being sent overseas. How does HIPPA rules address this issue?

Add a Comment

Name (required)

Email Address (will not be published) (required)

Attention: AAPC does not regularly monitor comments posted here. For customer service issues, contact us. In addition, we recommend posting your questions to the AAPC forums.

CAPTCHA Code *