The Report on Patient Privacy reports that last month NCVHS sent new sets of recommendations to Secretary Leavitt. What's more, AHIC's Confidentiality, Privacy and Security Group sent its own recommendations to Secretary Leavitt and held a meeting on "relevant HIPAA requirements," at which Prof. Rothstein testified on the need for privacy protection beyond the HIPAA Privacy Rule.
The upshot of the Report's article is that both advisory groups are coalescing around an approach that would scrap that the business associate provisions of the HIPAA Privacy and Security Rules in favor of Congress extending those rules directly to business associates and all health care providers and vendors who handle protected health information. However, according to the Report, HHS HIT National Coordinator Robert Kolodner may not be on board with this approach.
As previously noted in the FEHBlog, the Senate Health Education Labor and Pensions Committee approved the Wired for Health Care Act of 2007 on June 27. At the markup, according to Government HIT News:
During committee consideration, it was amended to require that AHIC recommend policies and methods “to preserve the individual’s ability to control the acquisition, uses and disclosures of individually identifiable information.”This change does not go so far as the approach described in the Report on Patient Privacy. The NCHVS approach would impose quite an administrative burden on small businesses and government agencies.
The bill also would extend the privacy rules of the Health Insurance Portability and Accountability Act of 1996 to health records banks and exchanges.