The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule replaces the harm threshold form the interim rule on breach notification with a more objective standard. It also requires business associates to comply with specific HIPAA privacy and security requirements, and imposes direct liability for their noncompliance with these regulatory standards. In addition, the rule incorporates the increased and tiered civil money penalty structure provided by eth HITECH Act; makes changes to the use of and disclosure of protected health information in certain circumstances; and prohibits most health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. (The state has already addressed this electronic health record request from a patient in Texas House Bill 300, which went into effect on September 1, 2012, with requirements to furnish electronic records within 15 days of a patient written request instead of the HIPAA requirement of within 30 days.)
The new rule allows for when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. You might want to discuss this with your insurance network provider representatives to make sure everyone is straight on that new wrinkle. I know from dealing with my network contracts they don’t like it when their members do such actions like this off line and don’t tell the health plan when they have medical procedures done and appear to be hiding medical conditions from their insurance payer.
The final omnibus rule sets new limits on how information is used and disclosed for marketing and fund raising purposes, and prohibits the sale of an individual’s health information without their permission. The final rule takes effect March 26; however covered entities and their business associates generally will have until September 23 to comply with most of the rule’s provisions .The 563-page HIPPA Privacy, Security, Enforcement and Breach Notification Rules, FR Document 2013-01073 may be viewed in PDF form in the Federal Register in the Health and Human Services Department section.