Skip to content

HHS Releases Updated HIPAA Privacy & Security Rule

by Lauren M. Nelson, JD on January 17th, 2013

Today HHS filed its long-awaited updated privacy and security rule. The 563-page update is scheduled to be published in the Federal Register on January 25, 2013. The new privacy and security rule updates HIPAA by adding the stringent privacy and security measures passed in the American Recovery and Reinvestment Act of 2009.

The new “omnibus” rule, named for its broad reach, was designed to increase patient privacy protections, provide patients new rights to their health information, and increase the government’s ability to enforce such protections. The rule expands the liability and requirements of business associates, such as contractors and subcontractors, of hospitals, physicians, and other HIPAA-covered entities for data breaches.

Patient rights have been expanded in several ways. Patients who pay in cash can instruct their health care provider to not share treatment information with their health plan. Individuals can now request a copy of their electronic medical record in electronic form. There are also new limits on the use of patient-identifiable information in marketing and fundraising, as well as a prohibition on the sale of an individual’s health information without that individual’s permission.

The new rule also reinforces the HITECH Act’s breach notification requirements by clarifying when breaches must be reported to HHS. Penalties are increased for noncompliance and are based on the level of negligence. The maximum penalty is $1.5 million per violation.

The full text of the pre-published rule is available online at the Federal Register. The full text of the HHS news release is available here.

Share and Enjoy:
  • Twitter
  • Facebook
  • Google Buzz
  • LinkedIn
  • Google Bookmarks
  • email

From → Health Law