On Thursday, the U.S. Department of Health and Human Services issued a new rule enhancing privacy protection of the health information of patients. A multitude of changes to privacy and security protections provisions of the Health Insurance Portability and Accountability Act of 1996 has been made in the newly issued 563-page final document.
HIPAA privacur rules usually applied to healthcare providers, plans and firms which process health insurance claims. However, the new rule now extends the scope of the regulations also to “business associates” such as vendors of healthcare companies.
Prior to the change, the obligations of vendors to obtain patient data were controlled by the contracts they had with respective healthcare providers or according to healthcare plans. Presently, with the new rule coming into effect, such vendors would be answerable under the regulations of HIPAA. Penalties with respect to negligence have also been raised to a maximum of $1.5 million per violation.
Most of the new changes had been mandated by the Health Information Technology for Economic and Clinical Health Act of 2009, but were in the process of being incorporated into the HIPAA.
One of the major changes in the new rule affects the manner of reporting breaches. Before the new rule, companies had to report a breach only if the disclosure of information resulting from the breach of HIPAA presented a serious risk of financial, reputational or other harm to the patient. With the new rule, healthcare companies have to report any unauthorized disclosure and possibility of health information being compromised. Regardless of the risk involved in such unauthorized disclosure of patient’s health information, healthcare companies and vendors are now liable to inform both the government and the patient. In case the breach can affect 500 people or more, the concerned parties need to inform the local media, too.