Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

New rule: Hospital, physician partners face penalties for privacy leaks

Reprints
New rule: Hospital, physician partners face penalties for privacy leaks

HHS in its long-awaited privacy rule released last week expanded liability of business associates of hospitals, physicians and other HIPAA-covered entities if they release data in ways that violate patient privacy.

Called the “omnibus” privacy and security rule because of its broad reach, it updates earlier Health Insurance Portability and Accountability Act rules with more stringent privacy and security measures passed under the American Recovery and Reinvestment Act of 2009.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius said in a news release coordinated with the posting of the 563-page rule in the Federal Register. “The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider's health care data-miners and health information technology service providers.

It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

%%BREAK%%

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said Leon Rodriguez, director of the Office for Civil Rights at HHS, also in the news release. The office is the lead privacy and security enforcement agency under HIPAA.

“These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates,” Mr. Rodriguez said.

Official publication of the new rule in the Federal Register is scheduled Jan. 25. Its effective date is March 26 with a compliance date 180 days later, or Sept. 21, 2013.

Joseph Conn writes for Modern Healthcare, a sister publication of Business Insurance.