The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was strengthened recently when HHS announced that its Office for Civil Rights (OCR) had released a final rule that will implement a number of privacy and security changes.
The final omnibus rule was published in the Jan. 25 Federal Register(www.gpo.gov) and is effective on March 26. Physicians and other covered entities must be in compliance with the final rule by Sept. 23.
"Much has changed in health care since HIPAA was enacted more than 15 years ago," said HHS Secretary Kathleen Sebelius in a Jan. 17 press release(www.hhs.gov). "The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age."
In the same release, OCR Director Leon Rodriguez, J.D., said the final rule marked the most sweeping changes to the HIPAA privacy and security rules since they were first implemented. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates," said Rodriguez.
- HHS and its Office for Civil Rights recently released a final rule that makes changes to the privacy and security protections established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
- The omnibus rule is effective on March 26; physicians and other covered entities must be in compliance with the final rule by Sept. 23.
- Physicians should review their current policies and procedures with regard to HIPAA and patient health data to ensure that their practices will be in compliance with the rule by the September deadline.
The omnibus rule finalizes statuary changes that were included in a section of the American Recovery and Reinvestment Act of 2009 known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The rule also finalizes changes required by the Genetic Information Nondiscrimination Act of 2008.
Some provisions of the final rule will affect family physician practices. For example, the rule spells out that any improper use or disclosure of personal health information should be considered a breach that would trigger official notification requirements (as spelled out in the rule) unless the organization in question carries out a risk assessment and determines otherwise.
In addition, the final rule
- extends the requirements of the privacy and security rules to physicians' business associates and their subcontractors;
- establishes new limitations on the use of personal health information for marketing and fundraising purposes;
- prohibits the sale of a patient's personal health information without specific individual authorization to do so;
- expands patients' rights to request and receive electronic copies of their personal health information; and
- broadens patients' ability to restrict, in some instances, disclosure of their personal health information to health insurance plans.
The rule also requires covered entities to modify and redistribute their individual notice of privacy practices.
HHS suggests that physician practices review their current policies and procedures to ensure that their organizations will be in compliance with the final rule by the September deadline.