Healthcare News: New Rule Announced to make HIPAA Stronger

On January 17th, Secretary Kathleen Sebelius of the Department of Health and Human Services (HHS) announced a new rule aimed at strengthening the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The 563-page rule provides the public with more protection, and control over personal health information. Secretary Sebelius lauded the rule stating, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Business Associate Definition Expanded

The rule expands the category of persons subject to HIPAA requirements (i.e., beyond health care providers, health plans, clearing houses, and existing business associates,) to directly cover other business associates that might have direct or indirect access to protected health information (PHI). The expanded business associates include health information exchanges, e-prescribing gateways, and personal health record vendors acting for covered entities. Data storage providers are also included as business associates, even if the entity never views or accesses the data. Traditionally, some of these companies took the position that they were not business associates per se, but the new rules make it clear that they are now part of the PHI transaction.

Expanded Penalty Provision

The new rule makes clear that all business associates, as well as covered entities, are directly subject to the HIPAA rules and are subject to penalties for failing to comply with HIPAA provisions. In addition, penalties for any entity that knowingly or willfully committed multiple violations of the same provision is increased to a maximum of $1.5 million per violation. The rule also clarifies when breaches of information must be reported to the HHS Office of Civil Rights.

Patient Rights

The new rule expands a patient’s ability to access a copy of their medical information both in electronic format – as well as paper from their treating provider. The provision of HIPAA that allowed an individual to access their PHI traditionally operated in a paper-based format, thus the expansion of the rule to include electronic forms signals a shift towards the acceptance of new technology.

Further when paying by cash, patients can instruct their provider not to share information about their treatment with their health plan.

An individual’s ability to authorize the use of their personal health information for research purposes is also expanded under the new rule. Previously, any release of PHI had to be study specific. Under the new rule, an authorization for future study is acceptable so long as the research is adequately described and the individual has a reasonable expectation their PHI will be used or disclosed for that research. Parents will find it easier to share their child’s immunization records with schools due to the rule’s new provisions.

However, the revised rule also requires more transparency in certain cases as to how the patient’s PHI will be used under any waiver. For example, a covered entity must obtain a valid authorization from the patient before using or disclosing PHI for marketing communications that involve financial remuneration. The authorization must disclose the fact that the covered entity or business associate is receiving reimbursement from a third party.

Privacy experts are advising their clients to re-evaluate their current HIPPA compliance program and requirements to make sure that all the new changes and exemptions are incorporated into the covered entities or business associates policies and procedures.

If you or your organization need assistance or guidance with your HIPPA-compliance program under these new rules, feel free to contact Lori at Royale Class Consulting.

The rule will be effective as of March 26, 2013. Entities have until September 21, 2013 to be in compliance with the rule’s provisions.