Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

HIPAA rules complicate compliance, could up fines

February 25, 2013

Article

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996.

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In fact, the U.S. Department of Health and Human Services (HHS) recently unveiled these rules in the Federal Register, which are described as the most sweeping changes to HIPAA since its birth more than 15 years ago. Slated to take effect March 26 and with a compliance deadline of September 23, the rules are thought to make compliance for physicians more difficult while expanding the government’s latitude in levying fines to providers from $100 to $1.5 million.

The move by government regulators within HHS’s Office of Civil Rights (OCR) is focused on protecting and expanding individual rights covered by HIPAA.

The final rule:

makes business associates of covered entities directly liable for compliance with certain requirements;

strengthens limitations on the use of personal health information for marketing and fundraising purposes;

prohibits the sale of a patient’s personal health information without specific individual authorization to do so;

expands patients’ rights to request and receive electronic copies of their personal health information; and broadens patients’ ability to restrict, in some instances, disclosure of their personal health information to health insurance plans;

requires modification to, and redistribution of, a covered entity’s notice of privacy practices;

simplifies reporting requirements of child immunizations to schools;

expands the Health Information Technology for Economic and Clinical Health (HITECH) Act to address enforcement due to willful neglect; and

adopts changes to increase and tier civil monetary penalties.

OCR Director Leon Rodriguez says the rules “strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”

The final omnibus rule is based on statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008, which clarifies that genetic information is protected under the HIPAA privacy rule and prohibits most health plans from using or disclosing genetic information for underwriting.