HHS Releases New Health Privacy Rule
The U.S. Department of Health and Human Services (HHS) has released a final rule strengthening the privacy protections and security safeguards for health information found in the Health Insurance Portability and Accountability Act (HIPAA), as well as increasing the governement’s ability to eforce the law. (The rule, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, may be read in here in display copy, and here in the Federal Register after January 25, 2013.)
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
As summarized in the HHS press release, “The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.”
Patients also have new explicit rights, such as the ability to request a copy of their electronic medical record in an electronic form and the right to instruct their provider not to share treatment information with their insurer when they pay in cash. Further, the final rule makes it easier for patients to authorize the use of their health information for research purposes and for parents to give permission to share proof of a child’s immunization with a school.
The rule is effective on March 26, 2013, and covered entities and business associates must comply with applicable requirements of the rule by September 23, 2013.