HHS Announces Changes In The Final HIPAA Omnibus Rule
The Department of Health and Human Services (HHS) Provides New Omnibus HIPAA Rules To Protect Patient Privacy.
The U.S. Department of Health and Human Services (HHS) moved forward on January 17, 2013 to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law. "Much has changed in health care since HIPAA was enacted over fifteen years ago," said HHS Secretary Kathleen Sebelius. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
The new rules have sweeping implications to all organizations who view or manage patient health information including doctors offices, hospitals, insurers, self-insurers, Health Insurance Exchanges, and others.
The modifications implemented by the new rules include:
- Expansion of the types of organizations subject to the HIPAA Privacy Rule regulations will now include business associates, subcontractors of business associates (if the subcontractor routinely handles protected health information), patient-safety organizations, health information exchange organizations, and electronic treatment and pharmaceutical portals;
- Increasing patients' rights by allowing a patient's family or close family friends to access the protected health information, the ability to request an electronic copy of their medical records, the opportunity to provide authorization for use of their medical records for research purposes, and sharing their children's immunization records with schools;
- Restricting the use of a patient's protected health information for marketing and fundraising activities;
- Prohibiting the sale of protected health information without patient authorization with certain exceptions;
- Increasing the penalties for violations of HIPAA to a maximum of $1.5 million in one calendar year;
- Clarifying that genetic information qualifies as health information;
- Clarifying when a data breach must be reported to the Office for Civil Rights;
- Alters the breach notification requirement so that unauthorized use or disclosure of protected health information is presumed to be a reportable breach, unless the covered entity can conclude, through a documented assessment, that there is a "low probability" that the information has been compromised. "Low probability" is determined by the nature, extent, and identifiers of the protected health information involved, (such as it involved mental health treatment or substance abuse treatment records), the unauthorized person who used the protected health information or to whom the disclosure was made, whether the protected health information was actually acquired or viewed; and to the extent to which the risk to the protected health information has been mitigated.