Prepare for HIPAA Privacy Rule Changes

January 23, 2013

On January 17, The Department of Health and Human Services (HSS) filed a long-awaited final rule interpreting the provisions of HIPAA. The rule makes final, supplementary changes to Health Information Technology for Economic and Clinical Health (HITECH) Act regulations, the HIPAA Enforcement Rule, the Breach Notification for Unsecured Protected Health Information under the HITECH Act and the HIPAA Privacy Rule as mandated by the GINA (Genetic Information Nondiscrimination Act). The rule will be effected March 26, 2013, with enforcement beginning September 23, 2013.

The 563-page rule changes various aspects of health privacy laws and is said by HHS Secretary Kathleen Sebelius to “help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.” However, the scope of privacy and security rules will expand to business associates, leaving unprepared health care contractors and subcontractors at risk of liability.

Notable changes include:

  • The HIPAA Privacy Rule has been extended to business associates receiving protected health information, such as contractors and subcontractors.
  • Business associates are liable for increased penalties for noncompliance, based on the intensity of negligence, of up to $1.5 million.
  • Business associates must disclose protected health information (PHI) upon request of the Secretary to investigate or determine compliance.
  • HITECH Breach Notification requirements have been strengthened, requiring increased reporting of unsecured health information to HHS.
  • Patients may ask for a copy of their electronic medical records.
  • Individuals paying for medical service by cash may ask that treatment information not be disclosed to their health plan.
  • Health information may not be sold without the individual’s permission.
  • Finally, based on statutory changes under HITECH and GINA, genetic information is protected under the HIPAA privacy rule; health plans may not use or disclose this information for underwriting purposes.

The complete rule can be found in the Federal Register. You or your business may need to take steps to ensure HIPAA compliance under the new rule, including rewriting or updating your privacy policy.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2018 Dykema Gossett PLLC.