Rule broad­ens le­gal li­a­bil­ity

Modern Healthcare - - LATE NEWS - Joseph Conn

The full chain of “busi­ness as­so­ci­ates” of health­care providers and oth­ers that fall un­der the reach of the HIPAA pri­vacy and se­cu­rity rule are now on the le­gal hook to pro­tect pa­tient med­i­cal records or be sub­ject to en­hanced penal­ties.

A long-awaited up­date to the rule ex­tends le­gal li­a­bil­ity un­der fed­eral health­care pri­vacy and se­cu­rity law not only to busi­ness as­so­ci­ates that di­rectly con­tract with hos­pi­tals, physi­cians and health plans—firms and or­ga­ni­za­tions such as data-min­ers, tran­scrip­tion ser­vices, qual­ity-im­prove­ment or­ga­ni­za­tions, health in­for­ma­tion ex­changes and the like— but also to those busi­ness as­so­ci­ates’ own “down­stream” sub­con­trac­tors, if those con- trac­tors rou­tinely ac­cess pa­tient data.

In­creased penal­ties for neg­li­gent vi­o­la­tions un­der the new rule can run as high as $1.5 mil­lion a year.

The 563-page “om­nibus” pri­vacy and se­cu­rity rule was re­leased Jan. 17 and car­ries out most of the more-strin­gent pri­vacy and se­cu­rity pro­tec­tions in the Amer­i­can Re­cov­ery and Rein­vest­ment Act of 2009.

Deven McGraw, a lawyer who heads the Health Pri­vacy Project at the Cen­ter for Democ­racy & Tech­nol­ogy, said she was pleased with her first read of the mar­ket­ing pro­vi­sions, which re­quire pa­tients to agree in ad­vance, or opt in, be­fore they can be sent mar­ket­ing in­for­ma­tion based on their health­care records.

“That’s the thing that drives peo­ple nuts, that some­body else had in­for­ma­tion about their health and is us­ing it to mar­ket to them,” McGraw said. “Congress closed that loop­hole and the OCR im­ple­mented it. That’s huge for con­sumers.” The new rule also: Pro­hibits the sale of pa­tient in­for­ma­tion with­out a pa­tient’s con­sent.

Pro­vides pa­tients with a right to in­sist that a provider not share their pa­tient-care records with their in­surance com­pany if that care is paid for by the pa­tient out-of-pocket in full.

Al­lows en­ti­ties with pa­tient-record breaches to judge the like­li­hood that the in­for­ma­tion could be ac­cessed in de­ter­min­ing whether they must no­tify in­di­vid­u­als of the breach.

Adds pa­tient-safety or­ga­ni­za­tions, health in­for­ma­tion ex­change or­ga­ni­za­tions and e-pre­scrib­ing gate­ways to a spe­cific list of busi­ness as­so­ci­ates li­able un­der the Health In­surance Porta­bil­ity and Accountability Act rule.

HHS es­ti­mates in­dus­try­wide com­pli­ance costs at $114 mil­lion to $225.4 mil­lion in the first year. The rule had been stuck in pre­elec­tion limbo since it was sent to the Of­fice of Man­age­ment and Bud­get for fi­nal re­view in March.

“Much has changed in health­care since HIPAA was en­acted over 15 years ago,” HHS Sec­re­tary Kath­leen Se­be­lius said in a news re­lease. “The new rule will help pro­tect pa­tient pri­vacy and safe­guard pa­tients’ health in­for­ma­tion in an ever-ex­pand­ing dig­i­tal age.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.