HHS Finalizes New Rule Strengthening Patient Privacy Rights

On January 17, the U.S. Department of Health and Human Services (HHS) announced publication in the Federal Register of the final version of a new rule strengthening patient privacy rights.

The new rule strengthens the privacy and security protections for health information that were established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

“The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law,” HHS said in a news release issued on January 17.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” HHS Secretary Kathleen Sebelius said in the HHS news release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Some of the Provisions Included in the New Rule

Among other enhancements to patient privacy rights, following are some of the key changes made by the new rule. As announced by HHS in its release, the new rule will:

• “[E]xpand many of the requirements to business associates of [the] entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates,” HHS said.
• Increase penalties for noncompliance “based on the level of negligence, with a maximum penalty of $1.5 million per violation.”
• “[S]trengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.”
• Give patients the right to request “a copy of their electronic medical record in an electronic form.”
• Provide that “When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.”
• Set “new limits on how information is used and disclosed for marketing and fundraising purposes and prohibit… the sale of an individual’s health information without their permission.
• Strengthen enforcement mechanisms provided to authorities to enforce the new rules.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Stepped Up Enforcement of Patient Privacy Rights in Medical Records

In a separate, but related development, on January 2, 2013, HHS settled its first case brought to enforce violations of patient data privacy rights under HIPAA involving the unauthorized disclosure of the electronic protected health information (“ePHI”) of fewer than 500 individuals. The case and settlement signaled stepped up enforcement of the privacy rights granted to patients under HIPAA.

As reported in an article written by Daren Orzechowski and Mariam Subjally in Lexology, an online publication associated with the Association of Corporate Counsel (ACC), “On January 2, 2013, the U.S. Department of Health and Human Services (“HHS”) settled its first case involving the unauthorized disclosure of the electronic protected health information (“ePHI”) of fewer than 500 individuals. In a resolution agreement signed on December 17, 2012, Hospice of North Idaho (“HONI”) agreed to pay HHS $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.”

As reported by Mr. Orzechowski and Ms. Subjally, attorneys in the law firm of White & Case, “The HHS Office of Civil Rights began investigating HONI after an unencrypted laptop computer containing ePHI of 441 patients was stolen in June 2010. Through its investigation, HHS discovered that HONI had not conducted a risk analysis of its ePHI, and did not have necessary policies or procedures in place to address mobile device security, all of which is required by the HIPAA Security Rule.”

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Leon Rodriguez, director of the HHS Office of Civil Rights, said, as quoted in the article.

“It is now clear that federal regulators are willing to punish even small data security breaches. Health care providers of all sizes, and the companies who provide services to them, should ensure that they have compliant data security plans in place which are strictly followed by their employees,” the Lexology article advises.

More Information

A complete copy of the new privacy rule published by HHS can be found in the U.S. Federal Register.

Following is a copy of the new release issued by HHS on January 17, 2013:

For more information on patient privacy rights and other legal issues facing seniors and family caregivers, see the HelpingYouCare® resource pages on Legal and Financial Issues for Seniors & Caregivers, including:

• Legal Issues for Caregivers & Seniors
• Overview – Some Legal Issues for Seniors & Caregivers
• Advance Directives for Health Care/ Living Wills; Proxies; Surrogates
• Planning for Incapacity/ Durable Powers of Attorney & Guardianship
• Estate Planning — Taxes, Wills, Intestate Succession, Trusts
• Asset Transfers & Medicaid Planning – An Overview
• Other Legal Issues
• Patient Rights
• Privacy Rights
• Your Employment Rights as a Family Caregiver
• Hiring a Private Duty Aide or Attendant As Employee vs. Independent Contractor
• Legal Issues Relating to Senior Housing & Care Facilities

_____________

Copyright © 2013 Care-Help LLC, publisher of HelpingYouCare^®. All rights reserved.