The U.S Department of Health and Human Services (HHS) has strengthened the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The improvements in the final rulemaking provide increased protection for patients with more control of their personal health information. This means that individual rights have been increased and expanded in important ways. The Final Omnibus Rule:
- Greatly enhances the privacy protection of patients,
- Provides individuals with new rights to their health information, and
- Increases the government’s ability to enforce the law.
Kathleen Sebelius, HHS Secretary, reports that:
“Much has changed in health care since HIPAA was enacted over fifteen years ago; the new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
Penalties for Noncompliance
The HIPAA Privacy and Security Rules have focused in the past on health plans, health care providers and entities that process health-insurance claims. The Rule increases the requirements to companies and organizations that do business with these entities, such as contractors and subcontractors. The changes also strengthen the requirements for a Health Information Technology for Economic and Clinical Health (HITECH) breach notification, by defining when breaches of unsecured health information must be reported to HHS.
As many of the largest breaches reported to HHS have involved business associates, penalties for non-compliance have increased based on the level of negligence. The maximum penalty per violation has increased to $1.5 million. Business associates and covered entities will have up to one year past the 180-day compliance date (March 26, 2013) to modify their contracts in order to comply with the rule.
Increased Patient Rights
The Final Omnibus Rule has created new limits on how information can be used or disclosed for marketing and fundraising purposes, and prohibits individual’s personal health information from being sold without obtaining their permission. Parents and guardians will now have an easier time when providing permission to share proof of a child’s immunization with a school.
It also reduces the chance of a breach by incorporating the ability for individuals to authorize the use of their health information for research purposes. Patients are now able to ask for a copy of their electronic medical record in an electronic form, and individuals paying by cash will be able to ask their provider not to share their treatment information with their health plan.
The Final Omnibus Rule was based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, as well as the Genetic Information Nondiscrimination Act of 2008 (GINA), which clarifies that the HIPAA Privacy Rule protects all genetic information, and prevents most health plans from using or disclosing genetic information for underwriting purposes.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
To read more about the Rulemaking, go to the Federal Register at: https://www.federalregister.gov/public-inspection, and for more information you can sign up on the Office of Civil Right’s listserv at: OCR-PRIVACY-LIST