Posted by: Heinz Brisske

Yesterday, the U.S. Department of Health & Human Services (HHS) announced that they have moved forward in strengthening security protections for protected health information originally established under the Health Insurance and Portability and Accountability Act of 1996 (HIPAA) by establishing a new omnibus rule in connection with the American Recovery and Reinvestment Act of 2009.  The rule also provides individuals new rights and allows the government greater ability to enforce these regulations.

One of the changes made in the 563-page rule is an expansion of the requirements of business associates of hospitals, physicians and other HIPAA-covered entities who receive protected health information, including contractors and subcontractors. This provision comes as numerous breaches of protected information have come from associates of these business entities.  Penalties for noncompliance resulting in negligence have been increased to a maximum of $1.5 million per violation.

Patients can now ask for a copy of their medical record in electronic form.

The rule also sets limits on how protected information can be used for marketing and fundraising purposes. If a patient pays out of pocket for a particluar procedure or treatment, the patient can limit what information about that procedure or treatment is given to their insurance company.

HHS Civil Rights Director, Leon Rodriguez, stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The rulemaking as summarized above can be found in the Federal Register at: