Government HIT magazine reports that the AHIC privacy work group may recommend extending the HIPAA privacy rule to the new health information exchanges such as RHIOs, the NHIN, and Dossia. The workgroup is considering how to do so. The model is already exists.
When Congress enacted HIPAA in 1996, RHIOs etc. did not exist, but health care claims clearinghouses did. Clearinghouses are the hubs through which electronic claims transactions are routed from providers to payers. (Since 1996, other more direct options have been created.) HHS decided in the HIPAA Privacy Rule (45 C.F.R. § 164.500(b)) that clearinghouses may either configure themselves principally as covered entities or as business associates. It strikes me that the same successful approach should be applied to these new health information clearinghouse.
Of course, Congress would have to amend HIPAA to adopt this approach. but Senator Akaka indicated at the February 1, 2007, personal health record privacy hearing that he is open to that idea.