HHS Updates HIPAA Privacy, Security, Enforcement Provisions and Increases Penalty Cap
The omnibus final rule updating provisions of the Health Insurance Portability and Accountability Act (HIPAA) released Jan. 17 is designed to enhance a patient’s privacy protections, provide individuals new rights to their health information, and strengthen the government’s ability to enforce the law. “Much has changed in health care since HIPAA was enacted over 15 years ago,” said Kathleen Sebelius, secretary of the Department of Health and Human Services. “The new rule will help protect patient privacy and safeguard patient’s health information in an ever-expanding digital age.” The rule, published in the Federal Register Jan. 25, contains final modifications to the HIPAA privacy, security, and enforcement rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Specifically, these modifications: Make business associates of covered entities directly liable for compliance with certain of the HIPAA privacy and security rules’ requirements; Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fund-raising purposes and prohibit the sale of protected health information without individual authorization; Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out […]
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA privacy and security rules’ requirements;
- Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fund-raising purposes and prohibit the sale of protected health information without individual authorization;
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices;
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others; and
- Adopt the HITECH Act enhancements to the enforcement rule not previously adopted in the Oct. 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect.
- A health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access to such PHI on a routine basis;
- A person who offers a personal health record to one or more individuals on behalf of a covered entity; and
- A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.
- Patients can ask for a copy of their electronic medical records in an electronic form;
- When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan;
- New limits are set on how information is used and disclosed for marketing and fund-raising purposes; and
- An individual’s health information cannot be sold without his or her permission.
Subscribe to view Essential
Start a Free Trial for immediate access to this article