HHS Finalizes New Rule Strengthening Patient Privacy Rights

In a January 17 Statement, Kathleen Sebelius, U.S. Secretary of Health & Human Services, anounced publication of a new rule strengthening patient privacy rights  On January 17, the U.S. Department of Health and Human Services (HHS) announced publication in the Federal Register of the final version of a new rule strengthening patient privacy rights.

The new rule strengthens the privacy and security protections for health information that were established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

“The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law,” HHS said in a news release issued on January 17.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” HHS Secretary Kathleen Sebelius said in the HHS news release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Some of the Provisions Included in the New Rule

Among other enhancements to patient privacy rights, following are some of the key changes made by the new rule. As announced by HHS in its release, the new rule will:

  • “[E]xpand many of the requirements to business associates of [the] entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates,” HHS said.
  • Increase penalties for noncompliance “based on the level of negligence, with a maximum penalty of $1.5 million per violation.”
  • “[S]trengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.”
  • Give patients the right to request “a copy of their electronic medical record in an electronic form.”
  • Provide that “When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.”
  • Set “new limits on how information is used and disclosed for marketing and fundraising purposes and prohibit… the sale of an individual’s health information without their permission.
  • Strengthen enforcement mechanisms provided to authorities to enforce the new rules.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Stepped Up Enforcement of Patient Privacy Rights in Medical Records

In a separate, but related development, on January 2, 2013, HHS settled its first case brought to enforce violations of patient data privacy rights under HIPAA involving the unauthorized disclosure of the electronic protected health information (“ePHI”) of fewer than 500 individuals. The case and settlement signaled stepped up enforcement of the privacy rights granted to patients under HIPAA.

As reported in an article written by Daren Orzechowski and Mariam Subjally in Lexology, an online publication associated with the Association of Corporate Counsel (ACC), “On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) settled its first case involving the unauthorized disclosure of the electronic protected health information (“ePHI”) of fewer than 500 individuals. In a resolution agreement signed on December 17, 2012, Hospice of North Idaho (“HONI”) agreed to pay HHS $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.”

As reported by Mr. Orzechowski and Ms. Subjally, attorneys in the law firm of White & Case, “The HHS Office of Civil Rights began investigating HONI after an unencrypted laptop computer containing ePHI of 441 patients was stolen in June 2010. Through its investigation, HHS discovered that HONI had not conducted a risk analysis of its ePHI, and did not have necessary policies or procedures in place to address mobile device security, all of which is required by the HIPAA Security Rule.”

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Leon Rodriguez, director of the HHS Office of Civil Rights, said, as quoted in the article.

“It is now clear that federal regulators are willing to punish even small data security breaches. Health care providers of all sizes, and the companies who provide services to them, should ensure that they have compliant data security plans in place which are strictly followed by their employees,” the Lexology article advises.

More Information

A complete copy of the new privacy rule published by HHS can be found in the U.S. Federal Register.

Following is a copy of the new release issued by HHS on January 17, 2013:


News Release

FOR IMMEDIATE RELEASE
January 17, 2013
Contact: HHS Press Office
202-690-6343

New rule protects patient privacy, secures health information

Enhanced standards improve privacy protections and security safeguards for consumer health data

The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.   When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.  The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.

###


For more information on patient privacy rights and other legal issues facing seniors and family caregivers, see the HelpingYouCare® resource pages on Legal and Financial Issues for Seniors & Caregivers, including:

_____________

Copyright © 2013 Care-Help LLC, publisher of HelpingYouCare®. All rights reserved.

Share

Comments are closed.

.............................................................................Back to Top...

Login to Post Comments



Register & Login above to post comments. Click here for Help. To join a Support Group, Register/ Login at CaregiversLikeUs.
ADVERTISEMENT:

The Fifteen Newest Updates on HelpingYouCare® As Of Today

New Posts on HelpingYouCare® by Day or Month

September 2016
M T W T F S S
« Dec    
 1234
567891011
12131415161718
19202122232425
2627282930  

Survey/ Opinion Poll

Participate in a brief
Survey/ Opinion Poll »

We publish the results of our periodic Surveys & Opinion Polls, anonymously. See Survey/ Opinion Poll Results ».

Contribute Content

Write and contribute articles, posts, or other content to this Site, or share links to useful information & resources you have found with the HelpingYouCare® Community.
Read How…

If you find any broken links on this Site, we will appreciate your reporting them to us:

Report Broken Links