This Final Rule is another signal from HHS that it will aggressively enforce the HIPAA Privacy and Security Rules, beginning immediately. If covered entities and business associates do not already have strong HIPAA compliance programs in place to prevent and detect potential violations of the Privacy and Security Rules, they should establish such programs now. Those that do have programs in place should review them to make sure that they comply with the HIPAA Privacy and Security Rules, including the new provisions of the HITECH Act.
CHART OF NEW ENFORCEMENT PENALTIES
NEW ENFORCEMENT PENALTIES
NEW PRIVACY RULES
ARRA’s HITECH Privacy and Security
On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule (Final Rule) interpreting and
implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
and the Genetic Information Nondiscrimination Act of 2008 (GINA). In the Final Rule, HHS modified the standard that HIPAA-covered entities,
including healthcare providers and health plans, and their business associates must use to determine if a breach of protected health information
(PHI) has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other
harm to an individual, with a standard that presumes that a breach has occurred .Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other
breaches of PHI.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form.
When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is
used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.