HIPAA gets an upgrade
medwireNews: In an acknowledgement that health information security must keep up with the times, the US Department of Health and Human Services (HHS) has enhanced patient privacy and security protections for health information as established under the 1996 Health Insurance Portability and Accountability Act (HIPAA).
"Much has changed in health care since HIPAA was enacted over fifteen years ago," said HHS Secretary Kathleen Sebelius in a press release. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
The HIPAA Privacy and Security Rules originally addressed the handling of health information by healthcare providers, health plans, and processors of health insurance claims. The HHS expanded that liability to business associates of the aforementioned entities that handle health information.
The HHS responded to business associates who were reported as committing the largest breaches of patient privacy by increasing noncompliance penalties by up to $1.5 million per violation.
The HHS modifications also furthered the requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification system by outlining when health information breaches are to be reported.
"This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," said HHS Office of Civil Rights Director Leon Rodriguez in the press release. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
The action also expanded an individual's right to attain electronic copies of their health information and to restrict disclosures to a health plan about a treatment an individual paid out of pocket.
HHS's final rule is expected to come at a price tag of $100 million according to their full report, which took into account the cost of compliance, revising and distributing new notices that inform individual's of their rights and information protection, and ensuring compliance by covered entities and business associates.
By Peter Sergo, medwireNews Reporter