New rule protects patient privacy, secures health information.
The United States Department of Health and Human Services (HHS) strengthened the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on January 17, 2013. The new rules enhances patients’ privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced on January 17, 2013 expand many of the requirements to business entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
Individual rights are expanded in important ways. Patients can ask for a copy of their medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
