Posted on April 28, 2010 by Steve Fox and Vadim Schick
.gif)
HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).
- Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."
- On April 23, 2010 HIT Policy Committee's privacy and security workgroup revealed a draft technical framework for patient consent requirements, titled Basic Patient Privacy Consent (BPPC). According to Federal Computer Week, the draft framework includes "at least 12 types of patient consents, including implicit and explicit opt-out and opt-in, authorizations for specific research projects and authorizations for use of the document but not for republishing."
Trackbacks (0)
Links to blogs that reference this article
Trackback URL
http://www.healthitlawblog.com/admin/trackback/199714
