The U.S. Department of Health and Human Services (HHS) enhanced standards to improve the privacy and security of consumer health data under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
Among others, below are some of the significant changes to existing regulations since HIPAA was enacted over fifteen years ago:
- modification to the standard for reporting breaches of unsecured personal health information (PHI);
- extension of HHS enforcement authority over business associates;
- expansion of the definition of the term business associate to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and which require routine access to such PHI, and personal health record vendors;
- modifications to the requirements for business associate agreements;
- new obligations for business associates to enter into business associate agreements with their own subcontractors;
- the removal of limitations on the liability of covered entities for the acts and omissions of business associates;
- changes to the requirements for notices of privacy practices;
- new limitations on the sale of PHI;
- new limitations on and clarifications concerning the use and disclosure of PHI for marketing;
- relaxation of certain limitations on the use of PHI for fundraising;
- improvement to the regulations concerning authorizations for the use or disclosure of PHI for research.
The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.