On Thursday, the Department of Health and Human Services (HHS) issued its final rule expanding privacy and security protections for patient information under the Health Insurance Portability and Accountability Act (HIPAA). The comprehensive final rule spans more than five hundred pages. One notable provision is the expansion of direct liability for breaches to contractors, subcontractors and other business associates of healthcare providers, plans and insurers. The rule lays out penalties for non-compliance, which range in cost based on the level of negligence, up to a cap of $1.5 million per violation.
Patient rights are expanded in several ways, such as by improving access to electronic health records and giving patients the right to instruct their provider to not disclose information to their health plan about services paid for out-of-pocket. Additionally, there are new restrictions on how patient information is used for marketing and fundraising purposes, and there is a ban on selling a person's health information without obtaining his or her permission.
The rule will be published in the Federal Register on Jan. 2, and provider obligations under the new rule will be the focus of the pre-conference session on April 28th at ANCOR’s 2013 Conference in Washington DC