Skip to main content
Full access
Government News
Published Online: 1 March 2013

Final Rule on HIPAA Privacy, Security Contains ‘Sweeping Changes’

Patient rights and provider accountability are at the heart of the final HIPAA privacy and security rule.

Abstract

The Department of Health and Human Services enhances the security of private health information and clarifies the role of physicians and their business associates in ensuring that such data are protected.

Abstract

HHS releases final rule on HIPAA privacy and security rule.

Abstract

HHS releases final rule on HIPAA privacy and security rule.
Patients will now be allowed to request a copy of their electronic medical records, while health care providers who are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) must now include within their Notice of Privacy Practices (NPPs) a statement of the right of patients to be notified following any breach of unsecured protected health information.
These are just a couple of the new patient-focused changes contained in a final omnibus rule released by the Department of Health and Human Services’ (HHS) Office for Civil Rights on January 25.
Taking effect on March 26, the final rule “marks the most sweeping changes to the HIPAA [privacy and security protections] since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez in a press statement announcing release of the rule.
Other alterations to the final rule are directed at enhancing the government’s ability to enforce the law, including holding covered entities responsible for any actions of business associates that result in violation of the HIPAA privacy rule. Business associates, in turn, will be legally liable for violations of their subcontractors, regardless of the absence of a formal contract. Additionally, both business associates and their subcontractors may be held directly liable for HIPAA violations.
HHS also incorporated changes that directly affect the delivery of mental health services by covered entities who record or maintain psychotherapy notes. They are now required to include a statement in their NPPs about the authorization requirement for uses and disclosures of such information.
Psychiatric patients, too, stand to benefit from a change that enables those who pay for services with cash to instruct their providers not to make information about their treatment available to insurers. Additional privacy protections allow patients to opt out of receiving fundraising and marketing solicitations, as well as prevent private health information from being sold without express consent.
And while the final rule protects only the individually identifiable health information of deceased patients for 50 years, rather than permanently, HHS emphasizes that this specified period of protection “does not override or interfere with state or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers.”
“The rule is very deferential to clinicians and patients,” said Julie Clements, J.D., deputy director for regulatory affairs in APA’s Department of Government Relations (DGR). “We appreciate the recognition that a clinician’s professional judgment can supersede the rule’s 50-year protection of a deceased patient’s personal health information.” The final rule also contains new language clarifying the definition of a privacy “breach” and modifying elements contained within the risk-assessment test used to determine whether a breach of protected health information has occurred.
According to a summary of the rule by DGR, any “impermissible use or disclosure of protected health information” will now be presumed to constitute a breach—unless a covered entity or business associate can demonstrate that there is a “low probability” that protected health information has been compromised.
This objective assessment of risk replaces the interim final rule’s requirement that covered entities and their business associates prove no significant risk of harm to a patient whose confidential information has been disclosed.
For those breaches deemed serious enough to warrant a federally imposed penalty, HHS has established a four-tier penalty structure. Fines will range from $100 to $50,000 per violation, with a $1.5 million cap.
Covered entities and business associates must be in compliance with the requirements of the final rule by September 23. Between now and then, all affected parties will have to modify their NPPs and patient authorization forms, update business associate agreements, and revise HIPAA policies and procedures, including those related to breach notification. ■
HHS’s final rule on modifications to HIPAA privacy, security, enforcement, and breach notification is posted at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Short and long summaries of the final rule prepared by APA regulatory staff are posted at http://www.psychiatry.org/advocacy--newsroom/advocacy/physician-reimbursement-and-practice.

Information & Authors

Information

Published In

History

Published online: 1 March 2013
Published in print: February 16, 2013 – March 1, 2013

Keywords

  1. HIPAA
  2. patient privacy

Authors

Details

Metrics & Citations

Metrics

Citations

Export Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

For more information or tips please see 'Downloading to a citation manager' in the Help menu.

Format
Citation style
Style
Copy to clipboard

View Options

View options

Login options

Already a subscriber? Access your subscription through your login credentials or your institution for full access to this article.

Personal login Institutional Login Open Athens login

Not a subscriber?

Subscribe Now / Learn More

PsychiatryOnline subscription options offer access to the DSM-5-TR® library, books, journals, CME, and patient resources. This all-in-one virtual library provides psychiatrists and mental health professionals with key resources for diagnosis, treatment, research, and professional development.

Need more help? PsychiatryOnline Customer Service may be reached by emailing [email protected] or by calling 800-368-5777 (in the U.S.) or 703-907-7322 (outside the U.S.).

Media

Figures

Other

Tables

Share

Share

Share article link

Share