New HIPAA Rule Expands Patients’ Rights, Privacy and Security Protections
The Office for Civil Rights of the Department of Health and Human Services (HHS) on Jan. 17 released an omnibus final rule updating provisions of the Health Insurance Portability and Accountability Act (HIPAA). In a statement, HHS said, “The rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” Noting that much has changed in health care since HIPAA was enacted over 15 years ago, HHS Secretary Kathleen Sebelius said the new rule meets privacy and security needs in an ever-expanding digital age. It also incorporates increased civil monetary penalties and caps maximum annual penalties at $1.5 million, up from an existing $25,000 cap. Business Associates’ Compliance While HIPAA privacy and security rules have concentrated on health care providers, health plans, and health clearinghouses, the changes in the new rule expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest data breaches reported to HHS have involved business associates. Data Breach Incidents HHS replaces the harm standards for data breach incidents, requiring notification to individuals unless there is a low probability […]
- Patients can ask for a copy of their electronic medical record in an electronic form.
- When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
- New limits are set on how information is used and disclosed for marketing and fund-raising purposes.
- An individual’s health information cannot be sold without his or her permission.
Subscribe to view Essential
Start a Free Trial for immediate access to this article