In comments sent to Secretary Kathleen Sebelius at the U.S. Department of Health and Human Services, AMIA (American Medical Informatics Association) called out 10 specific challenges to proposed modifications to HIPAA Privacy and Enforcement Rules. AMIA's comments, sent on behalf of its membership of 4,000 informatics professionals, detail key issues of concern related to the Notice of Proposed Rulemaking (NPRM) on HIPAA modifications, along with suggestions for models of change. The following areas were cited:
Business Associates and Subcontractors
Position: AMIA supports the NPRM in extending requirements of the Privacy and Security Rules for Business Associates (BAs) to their subcontractors. AMIA supports the extension of HIPAA rule compliance obligations to specific types of BAs, including health information exchanges (HIEs), Regional Health Information organizations (RHIOs), and personal health record (PHR) vendors as stipulated by HITECH.
AMIA is concerned about operational and financial challenges of extending and executing agreements related to the use and disclosure of protected health information "downstream".
AMIA suggests that HHS consider the development of 'model' BA contract language in the Final Rule.
Marketing and Fundraising
Position: Currently, communications related to prescribed drugs and biologics qualify as health care operations, which are excepted from the definition of marketing. Health care operations do not require patient authorizations and are eligible for remuneration as associated costs. AMIA supports inclusion of legitimate treatment communications, such as educational support materials distributed by Covered Entities, in the definition of qualified health care operations.
AMIA supports the opportunity for patients to 'opt out' of future fundraising solicitations, but does not see a benefit to offering 'opt out' statements prior to first solicitations.
|Contact: Nancy Light|
American Medical Informatics Association