The privacy provisions include a requirement to notify patients and the federal government of security breaches that result in the release of protected health information.
Privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 would be extended to health information exchanges, health records banks and business partners of health care providers and insurers. HIPAA enforcement would be strengthened.
The sale of identifiable health information without the patient’s authorization would be forbidden in most cases, and the HIPAA loophole that some have used to send advertising to patients would be closed.
The Ways and Means Committee draft must be reconciled with an Appropriations Committee draft so this is not a done deal. The Wall Street Journal reports today there's still disagreement over how to handle privacy. I found the following quote from that report revealing
"In some ways I am thrilled, because IT will need federal help," said John Glaser, chief information officer for Partners HealthCare, a large nonprofit hospital system in Boston. "But you can bring in too much money too fast and not only waste it, but set us back."