HIPAA Rules Expanded to Associates
HIPAA Rules Expanded to Associates

The US Department of Health and Human Services (HHS) has announced updates to HIPAA, the Health Insurance Portability and Accountability Act, that bring patient privacy rights and safeguards up to the standards and requirements needed for the digital age.

Although several changes were implemented in the revision, the biggest change in the update is the expansion of requirements beyond health care providers, health plants and entities that work with health insurance claims to also include business associates such as contractors and subcontractors that perform services on behalf of health care providers. The amended HIPAA rules formalize many of the changes made in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act).

A summary of changes to HIPAA include:

  • Requirements extended to business associates of health care providers
  • Increased penalties for non-compliance to a maximum of $1.5 million / violation
  • Clarification of when breaches must be reported to HHS
  • Patients can ask for a copy of the electronic medical record in electronic form
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan
  • New limits on how information is used and disclosed for marketing and fundraising purposes
  • Prohibition on the sale of health information without an individual’s permission
  • Streamlined ability to authorize the use of health information for research purposes
  • Easier process for parents and others to give permission to share proof of a child’s immunization with a school
  • Gives covered entities and business associates up to 1 year after the 180-day compliance date to modify contracts to comply with the rule
  • Integrates the Genetic Information Nondiscrimination Act (GINA) to prohibit health plans from using or disclosing genetic information for underwriting purposes

The final omnibus rule enhances patient privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. The new rules take effect on March 26th, 2013 for health care providers and September 23, 2013 for business associates.