Banner

Article

HIPAA rules complicate compliance, could up fines

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996.

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In fact, the U.S. Department of Health and Human Services (HHS) recently unveiled these rules in the Federal Register, which are described as the most sweeping changes to HIPAA since its birth more than 15 years ago. Slated to take effect March 26 and with a compliance deadline of September 23, the rules are thought to make compliance for physicians more difficult while expanding the government’s latitude in levying fines to providers from $100 to $1.5 million.

The move by government regulators within HHS’s Office of Civil Rights (OCR) is focused on protecting and expanding individual rights covered by HIPAA.

The final rule:

  • makes business associates of covered entities directly liable for compliance with certain requirements;

  • strengthens limitations on the use of personal health information for marketing and fundraising purposes;

  • prohibits the sale of a patient’s personal health information without specific individual authorization to do so;

  • expands patients’ rights to request and receive electronic copies of their personal health information; and broadens patients’ ability to restrict, in some instances, disclosure of their personal health information to health insurance plans;

  • requires modification to, and redistribution of, a covered entity’s notice of privacy practices;

  • simplifies reporting requirements of child immunizations to schools;

  • expands the Health Information Technology for Economic and Clinical Health (HITECH) Act to address enforcement due to willful neglect; and

  • adopts changes to increase and tier civil monetary penalties.

OCR Director Leon Rodriguez says the rules “strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”

The final omnibus rule is based on statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008, which clarifies that genetic information is protected under the HIPAA privacy rule and prohibits most health plans from using or disclosing genetic information for underwriting.

Related Videos
Emma Schuering: ©Polsinelli
Emma Schuering: ©Polsinelli