The Proposed Privacy Standards for Individually Identifiable HIPAA Data Breach Information were published by the Health and Human Services (“HHS”) in the Federal Register on November 3, 1999 It is expected that the Final Regulations will be released before the end of the calendar year 2000. Background to the Proposed Privacy Standards.
HIPAA Data Breach Requirement
The Proposed Privacy Standards were proposed by the Secretary of the DHHS in response to the requirement in the HIPAA Data Breach that the Secretary promulgate a series of standards relating to the electronic exchange of health information, otherwise known as the Body Explanation provender in HIPAA.
HIPAA Required Framework
The legislative authority in HIPAA Data Breach to promulgate the regulations for the Proposed Privacy Standards contains the following limitations or important aspects: A limited number of entities would be affected by the standards; Certain enforcement provisions, including audits for compliance; A private right of action for individuals whose privacy rights are violated; and The Proposed Privacy Standards are applicable only to providers who engage in electronic administrative simplification transactions.
General Overview of the Proposed Privacy Standards
A. Applicability: The requirements of the Proposed Privacy Standards apply to the following entities: A Health Plan; A Healthcare Data Breaches Clearinghouse; and A Health Care Provider. The HHS proposed that the regulations require covered entities to apply many provisions of the proposed regulations to entities with which they contract for administrative and other services. These entities are referred to as Business Partners.