Banner

Article

HIPAA rules complicate compliance, could up fines

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996.

The stakes are even higher for security breaches of health information, according to new rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In fact, the U.S. Department of Health and Human Services (HHS) recently unveiled these rules in the Federal Register, which are described as the most sweeping changes to HIPAA since its birth more than 15 years ago. Slated to take effect March 26 and with a compliance deadline of September 23, the rules are thought to make compliance for physicians more difficult while expanding the government’s latitude in levying fines to providers from $100 to $1.5 million.

The move by government regulators within HHS’s Office of Civil Rights (OCR) is focused on protecting and expanding individual rights covered by HIPAA.

The final rule:

  • makes business associates of covered entities directly liable for compliance with certain requirements;

  • strengthens limitations on the use of personal health information for marketing and fundraising purposes;

  • prohibits the sale of a patient’s personal health information without specific individual authorization to do so;

  • expands patients’ rights to request and receive electronic copies of their personal health information; and broadens patients’ ability to restrict, in some instances, disclosure of their personal health information to health insurance plans;

  • requires modification to, and redistribution of, a covered entity’s notice of privacy practices;

  • simplifies reporting requirements of child immunizations to schools;

  • expands the Health Information Technology for Economic and Clinical Health (HITECH) Act to address enforcement due to willful neglect; and

  • adopts changes to increase and tier civil monetary penalties.

OCR Director Leon Rodriguez says the rules “strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”

The final omnibus rule is based on statutory changes under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008, which clarifies that genetic information is protected under the HIPAA privacy rule and prohibits most health plans from using or disclosing genetic information for underwriting.

Related Videos
Jay W. Lee, MD, MPH, FAAFP headshot | © American Association of Family Practitioners
Related Content
Drinking water proven to have health benefits: ©Soleg - stock.adobe.com
November 27th 2024

Who needs a doctor when you have a glass of water?

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company
September 20th 2024

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company

Fewer people leaving positive reviews for health care facilities: ©Chinnarach - stock.adobe.com
November 26th 2024

Two stars: Fewer people leave positive reviews for health care facilities post-COVID

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy
June 28th 2024

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy

Negative browsing habits lead to negative moods: ©Teodor Lazarev -stock.adobe.com
November 25th 2024

Your patients’ browsing habits may be driving their negative moods

Medicare fraud trial ©MaksymYamilianov - stock.adobe.com
November 21st 2024

Dallas jury finds practice liable for Medicare fraud that could result in more than $300 million in penalties