The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996.
The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In fact, the U.S. Department of Health and Human Services (HHS) recently unveiled these rules in the Federal Register, which are described as the most sweeping changes to HIPAA since its birth more than 15 years ago. Slated to take effect March 26 and with a compliance deadline of September 23, the rules are thought to make compliance for physicians more difficult while expanding the government’s latitude in levying fines to providers from $100 to $1.5 million.
The move by government regulators within HHS’s Office of Civil Rights (OCR) is focused on protecting and expanding individual rights covered by HIPAA.
The final rule:
OCR Director Leon Rodriguez says the rules “strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”
The final omnibus rule is based on statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008, which clarifies that genetic information is protected under the HIPAA privacy rule and prohibits most health plans from using or disclosing genetic information for underwriting.