On January 17, 2013, the Department of Health and Human Services Issued its Final Modifications to the Health Insurance Portability and Accountability Act (HIPAA), Originally Passed in 1996.
With technology and data exchange advancing so dramatically in just the last 5 years, it stands to reason that HIPAA would also require updating. In the face of broad scale changes in both technology and health care delivery, HIPAA’s new rules are intended to strengthen the privacy and security of individual’s protected health information. They also are more intimately entwined with the HITECH Act. Several of these new rules have important implications for telehealth practice. For practitioners, these changes impose yet more requirements in the event of a privacy breach.
This Final HIPAA Brings New Rules & Deadlines
This final HIPAA rule goes into affect on March 26, 2013 and all covered entities and their business associates must be in compliance by September 23, 2013. Business associates will be held more accountable. Maximum penalties for negligence and data breaches have been increased. The new rules also require more information to be given to consumers, and the rules also expand enforcement operations for infractions in the handling of health care information.
New Expectations for Business Associates
Business associates of covered entities will now be directly liable for compliance with HIPAA Privacy and Security Rules’ requirements. Previously, only direct health care providers, such as clinical practitioners, clinics, hospitals and insurance companies were responsible for HIPAA compliance.
Under this new ruling, HIPAA compliance standards and liability will now apply directly to contractors, subcontractors and business service companies working for health care providers. This means that companies providing electronic health records software, teleconferencing, data back-up and storage, billing, transcription and other IT services will now be directly responsible for HIPAA compliance.
Higher Penalties for Non-Compliance
The new rule also raises the maximum penalty for data breaches. Penalties for noncompliance under the original 2009 HITECH Act were capped at $250,000, but under the new HIPAA final rule, the maximum penalty is $1.5 million per violation. Standards for data breach notification have been clarified and made more stringent.
New Patient Rights and Privacy Regulations
Individuals will now have the right to a copy of their electronic health records. When treatment is paid for completely out of pocket, patients will now have the right to request that their health care providers restrict disclosing that treatment to their health insurance companies. In addition, protected health information may not be used for marketing or fundraising purposes or sold without direct authorization.
Companies providing business services to health care providers and health insurance companies may well be unprepared for these changes. Infrastructure, documentation, and procedures for information privacy and security, and data encryption and disposal will have to be evaluated and brought into compliance. In addition, companies will need to provide formal security training to all employees, designate a security official and implement appropriate business associate contracts with their own subcontractors.
When HIPAA was first passed in 1996, most health care practitioners, hospitals and insurance companies scurried to bring themselves into compliance with the new standards. In the face of these final rules, business associates will have to engage in the same process.