The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the privacy and security requirements to business associates that receive protected health information, such as contractors and subcontractors. Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual’s health information without their permission.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection. (563 pages)
Summary of final rule:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications :
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
To sign up for HIPAA alerts, click here.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017