Healthcare compliance officers take note: Sweeping changes to the privacy rules under the Health Insurance Portability and Accountability Act are out for comment.

The Department of Health and Human Services has published proposed rulemaking that will significantly modify the HIPAA Privacy, Security, and Enforcement Rules. The proposals are out for a 60-day comment period after publication in the Federal Register.

zickThe bottom line is that, "It's going to be like re-learning HIPAA," says Colin Zick, a partner in the law firm of Foley Hoag. "The reach of HIPAA has expanded geometrically."

As expected, the proposals extend all of the HIPAA enforcement provisions, and many of the privacy and security requirements to the business associates of HIPAA-covered entities, such as billing providers, accountants, lawyers, and consultants. Many of the rules would also apply to sub-contractors of business associates under the proposal.

Much—but not all—of what's contained in the 234 pages of proposed regulations implement changes as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, Zick notes that HHS also "took the opportunity to do a lot clean up in the privacy and security regs."

Still, with the exception of the enforcement provisions, which would become effective immediately, he notes that the proposals include a 180-day implementation delay, so whenever any final rules are adopted, "people will have at least six months to get their houses in order." The proposals also include a one-year transition period.

That said, he suggests covered entities that have to renegotiate any business associate contracts in the interim update them in light of the proposed rules.

"My suggestion is, if you're going to renegotiate any business associate contracts anyway, it's worth it to update those provisions now based on the proposed rules, since they should be very close to any final rule," he tells Compliance Week.

Other provisions set new limits on the use and disclosure of protected health information for marketing and fundraising, and create new restrictions on the sale of protected health information. Zick says the proposed sale restrictions are among the "stickiest" since they're complicated and contain a lot of carve outs.

Given HHS's estimate of the total time it will take respondents to comply with the information collection requirements of the rule (3,733,833 hours), Zick says providers should prepare to do a lot of training on any final rule that's eventually adopted, particularly for any employees who deal with business associates, or who work in research and marketing or fundraising.