Addressing 15 years of digital advances in health record information, the Department of Health and Human Services released stronger rules and protections governing patient privacy last week.
The long-awaited rules enhance the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which governs health records and patient information.
HHS is expanding the government’s scope over healthcare providers, health plans, and other entities that process health insurance claims to include their contractors and subcontractors — “business associates” — with whom they share protected health information.
Some of the larger breaches in patient privacy have involved business associates, HHS noted in a press release announcing the rules.
“Much has changed in healthcare since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in the release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The new rules increase penalties for noncompliance to a maximum of $1.5 million per violation.
The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by making clear when breaches must be reported to HHS.
Also, the new rules allow that, when a patient is required by a provider to request records or documents in writing, the request may be made electronically.
The health information management industry is “breathing a sigh of relief,” said Angela Rose, MHA, RHIA, CHPS, director of health information management practice excellence at the American Health Information Management Association in Chicago, noting that final rules have been anticipated since 2009.
“The final rule is the first major change to the way current privacy and security practices are executed today since the implementation of HIPAA 10 years ago,” she told MedPage Today in a phone interview.
“Now we can hit the ground running” in response to the new rules, Rose added.
“The final rule … strengthens patient privacy and security protections that were established under [HIPAA],” said Renae Moch, practice management strategist at the American Academy of Family Physicians in an email. “This rule is presumed to increase workability and flexibility, decrease burden, and better standardize the requirements of the rule for covered entities such as healthcare providers, health plans, or healthcare clearinghouses.”
HHS indicated that other expanded limits will address “how information is used and disclosed for marketing and fundraising purposes,” and will prohibit selling individuals’ health information without their permission.
Starting March 26, covered entities and their business associates will have 180 days to comply with the 563-page rule.