HHS Strengthens Health Information Privacy and Security through New Rules

HHS Secretary Kathleen Sebelius announced important new rules and resources to strengthen the privacy of health information and to help all Americans understand their rights and the resources available to safeguard their personal health data. Led by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR), HHS is working with public and private partners to ensure that, as we expand the use of health information technology to drive improvements in the quality and effectiveness of our nation’s health care system, Americans can trust that their health information is protected and secure.

Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.

The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

• expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.
• requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
• setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
• prohibiting the sale of protected health information without patient authorization.

HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.