California Healthline –
January 18, 2013
On Thursday, HHS released four final rules expanding and updating the Health Insurance Portability and Accountability Act, Modern Healthcare reports.
The rules — called for under the 2009 federal economic stimulus package’s HITECH Act and the Genetic Information Nondiscrimination Act — implement tougher privacy and security provisions. The rules:
• Clarify when breaches must be reported to HHS’ Office for Civil Rights;
• Establish new standards for the use of patient-identifiable information for fundraising and marketing;
• Expand liability to “business associates” of hospitals and other “HIPAA-covered entities,” such as data miners and health information technology service providers (Conn, Modern Healthcare, 1/17); and
• Raise the maximum penalty for noncompliance to $1.5 million per violation (Bowman, FierceHealthIT, 1/17).
According to HHS, the rules stemmed in part from an executive order that directed HHS to conduct a retrospective review of existing regulations to determine ways to reduce costs and increase flexibility under HIPAA (Sullivan, Government Health IT, 1/17).
HHS Secretary Kathleen Sebelius said the rules “will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The long-awaited rules were accepted by the Office of Management and Budget in March 2012 and were expected to be published last summer (FierceHealthIT, 1/17).