New HIPAA Rule Expands Patients’ Rights, Privacy and Security Protections

The Office for Civil Rights of the Department of Health and Human Services (HHS) on Jan. 17 released an omnibus final rule updating provisions of the Health Insurance Portability and Accountability Act (HIPAA). In a statement, HHS said, “The rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” Noting that much has changed in health care since HIPAA was enacted over 15 years ago, HHS Secretary Kathleen Sebelius said the new rule meets privacy and security needs in an ever-expanding digital age. It also incorporates increased civil monetary penalties and caps maximum annual penalties at $1.5 million, up from an existing $25,000 cap. Business Associates’ Compliance While HIPAA privacy and security rules have concentrated on health care providers, health plans, and health clearinghouses, the changes in the new rule expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest data breaches reported to HHS have involved business associates. Data Breach Incidents HHS replaces the harm standards for data breach incidents, requiring notification to individuals unless there is a low probability the data were compromised. This may be the biggest change, analysts say, since the interim final rule required entities to notify individuals that their protected health information had been breached only if they determined through a risk assessment that the individuals could suffer financial, reputational, or other harm. Patients’ Rights Individual rights are expanded in the new rule as follows:

• Patients can ask for a copy of their electronic medical record in an electronic form.

• When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

• New limits are set on how information is used and disclosed for marketing and fund-raising purposes.

• An individual’s health information cannot be sold without his or her permission.

Effective Dates The rule becomes effective March 26, but covered entities and their business associates have until Sept. 23 to comply with most provisions. In the case of existing business associate agreements, covered entities have until September 2014 to make changes. The rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008, which clarifies that genetic information is protected under the HIPAA privacy rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.