By Michael L. Smith, R.R.T., J.D.
(September 30, 2013) - The Department of Health and Human Services (HHS) published amended rules applicable to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in January 2013. As explained by the Secretary of HHS, healthcare has experienced significant changes since HIPAA was enacted in 1996. The implementation of electronic medical records is just one of those changes. The new HIPAA regulations are designed to provide patients with better privacy protection, and additional rights not included in the original HIPAA rules. The new rules became effective on Sept. 23, 2013.The HIPAA regulation changes include new patient rights. Patients now have a right to request electronic copies of their records if their health care provider maintains records in electronic form. Patients also have the right to restrict the disclosure of some of their protected health information to a health plan when the patient has paid out of pocket in full for their care.Every covered entity must modify their Notice of Patient Privacy Rights documentation to include the additional patient rights included in the new HIPAA regulations. Earlier this month, the HHS Office of Civil Rights published model Notices of Privacy Practices on its website to assist covered entities and health plans with complying with the new requirements.According to HHS, several of the largest HIPAA breaches have involved business associates. Consequently, the new HIPAA regulations also include significantly increased requirements for business associates and the subcontractors of those business associates. A subcontractor is any entity that does not have a direct contractual relationship with a covered entity, but still receives, maintains, transmits or creates protected health information as part of their work for a business associate of a covered entity. Under the new regulations, subcontractors are included in the definition of "business associate" and also subject to the same criminal and civil sanctions applicable to covered entities and business associates for violations of HIPAA.The new HIPAA regulations also require each covered entity to take action to cure a breach or end a HIPAA violation by its business associate if the covered entity knows of a pattern or practice of its business associate that violates HIPAA. Covered entities will need to take a more active role in monitoring the activities of their business associates to cure breaches and end HIPAA violations.The new HIPAA rules also include increased penalties required by the HITECH Act. Now there are four categories of violations based upon the level of culpability involved in the breach. There are corresponding penalties for each category of violation with significantly increased minimum penalties. The maximum penalty amount of $1.5 million annually. As we have discussed in previous posts, the actual cost of violating HIPAA includes numerous other costs in addition to the penalty imposed by HHS. Those other costs include investigation costs, notice to patients, and the purchase identity protection coverage for the affected patients.The new HIPAA regulations strengthen the limitations on the use and disclosure of protected health information (PHI) by covered entities and business associates for marketing and fundraising purposes. The new HIPAA regulations also prohibit the sale of PHI by covered entities or business associates without the consent of the patient.Every covered entity should ensure that its Notice of Patient Privacy documentation has been reviewed and revised as necessary to comply with the new regulations. Covered entities and business associates should ensure that all their business associate agreements are compliant with the new HIPAA regulations.Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.