HIPAA Privacy and Security Regulations Updated

January/February 2013 Vol 6, No 1 - Industry Trends
Ross D. Margulies, JD, MPH
Associate at Foley Hoag, LLP
Washington, DC
Jayson Slotnik, JD, MPH
Download PDF

On January 17, 2013, nearly 3 years after its initial proposed rule, the US Department of Health and Human Services (HHS) issued the long-awaited and much-anticipated Health Insurance Portability and Accountability Act (HIPAA) “omnibus” rule, extending the scope of the privacy law beyond healthcare providers to their business associates and subcontractors, and adding increased penalties for noncompliance.1

Regulated entities must be in compliance with the new rules by September 22, 2013, although covered entities and business associates will have up to 1 year after the 180-day compliance date to modify existing contracts to comply with these revised rules. All provider practices and health plans should begin to examine their policies now to ensure a seamless transition to these new rules.

Among the most dramatic changes to the existing law is that HIPAA’s privacy and security requirements will now directly apply to business associates.
Business associates will now include health information organizations, e-prescribing gateways, other entities that provide data transmission services for covered entities and that require access to data on a routine basis, entities that offer a personal health record to individuals on behalf of a covered entity, and subcontractors.

Penalties for noncompliance will range in severity, depending on the degree of culpability, including the number of individuals affected, and whether the noncompliant body has a history of noncompliance.

Central to the new regulations—which total a whopping 563 pages—is the sharing of patient-protected health information. Patients are given new control over their patient-protected health information, including allowing patients to request a copy of their electronic medical record in an electronic format and permitting patients to instruct their provider not to share information about treatment with their health plan when the individual pays for that care out of pocket.

In addition, the final rule expands the definition of a “breach” under HIPAA, thus eliminating the “harm” standard, which previously allowed entities to avoid breach notification if they could demonstrate that the breach posed no significant risk of harm to the individual. Under the new rule, any impermissible use or disclosure of patient-protected health information is presumed a breach, “regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates,”1 unless a low probability that information has been compromised can be demonstrated.

All provider practices and health plans are now tasked with the arduous effort of implementing what the HHS is calling “the most sweeping changes to the HIPAA privacy and security rules since they were first implemented.”1

Mr Margulies is an Associate at Foley Hoag, LLP, Washington, DC; Mr Slotnik is a Partner, Health Policy Strategies, LLC, Washington, DC.

Reference

  1. US Department of Health and Human Services. New Rule Protects Patient Privacy, Secures Health Information. Press Release. January 17, 2013. www.hhs.gov/news/press/2013pres/01/20130117b.html. Accessed February 2, 2013.
Related Items
US Healthcare Trends and Contradictions in 2019
F. Randy Vogenberg, PhD
February 2019 Vol 12, No 1 published on February 6, 2019 in Industry Trends
A Shift in Party Majority, a Shift in Priority? What the Pharmaceutical Industry Can Expect
Gary Branning, MBA, Randy Ross, BA, Kathryn Hayes, BA
February 2019 Vol 12, No 1 published on February 6, 2019 in Industry Trends
FDA Commissioner Outlines New Plan to Increase Biosimilars by Balancing Innovation and Competition
Eileen Koutnik-Fotopoulos
November 2018 Vol 11, No 8 published on November 30, 2018 in Industry Trends
New Rivals: Integrating Health Benefits to Provide Comprehensive Patient Care
Gary Branning, MBA, Martha Vater
April 2018 Vol 11, No 2 published on April 13, 2018 in Industry Trends
Healthcare Trends for 2018
F. Randy Vogenberg, PhD, John Santilli, MBA
February 2018 Vol 11, No 1 published on February 16, 2018 in Industry Trends
Last modified: March 1, 2013
  •  Association for Value-Based Cancer Care
  • Oncology Practice Management
  • Value-Based Cancer Care
  • Value-Based Care in Rheumatology
  • Rheumatology Practice Management
  • Urology Practice Management
  • Lynx CME