Risk
7/13/2010
10:03 AM
50%
50%

New HHS Rules Would Expand Patients' Rights To Control Data

Proposed rules seen as a crucial step toward adoption of electronic health information exchange

The Department of Health and Human Services has announced new rules that expand patients' rights to make decisions regarding their health records, including giving patients the ability to restrict the use of information for marketing purposes, and granting them greater control over the sale of their health information.

The proposed rules are seen as a crucial step as the Obama administration promotes the adoption of electronic health information exchange, and has set the goal of providing every citizen with an electronic medical record (EMR) by 2014.

Announced on Thursday, the policies would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and enforcement rules in several ways.

The rules call for the expansion of individuals' rights to access their information and to restrict certain types of disclosures of protected health information to health plans. It also requires business associates of HIPAA-covered entities to be under most of the same rules as the covered entities.

The proposed modifications to the HIPAA privacy & security rules also establish new limitations on the use and disclosure of protected health information for marketing and fundraising, and prohibits the sale of protected health information without a patient's consent.

"To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers," HHS secretary Kathleen Sebelius said in a statement. "While health information technology will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work."

Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.

"Giving more Americans the ability to access their health information wherever, whenever, and in whatever form is a critical first step toward improving our healthcare system," David Blumenthal, HHS national coordinator for health information technology, said in a statement. "Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount."

HHS has also launched a privacy website to help the public easily access information about existing HHS privacy efforts and the policies supporting them.

Led by the Office of the National Coordinator for Health Information Technology and the HHS Office for Civil Rights, HHS is working with public and private partners to ensure that patients' health information is protected and secure.

Once the rule is published in the Federal Register on July 14, a 60-day comment period will begin during which time the public is invited to give their feedback and suggestions concerning the proposed rules.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8893
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8894
Published: 2015-01-28
Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.

CVE-2014-8895
Published: 2015-01-28
IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.

CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.