Rule broadens legal liability
The full chain of “business associates” of healthcare providers and others that fall under the reach of the HIPAA privacy and security rule are now on the legal hook to protect patient medical records or be subject to enhanced penalties.
A long-awaited update to the rule extends legal liability under federal healthcare privacy and security law not only to business associates that directly contract with hospitals, physicians and health plans—firms and organizations such as data-miners, transcription services, quality-improvement organizations, health information exchanges and the like— but also to those business associates’ own “downstream” subcontractors, if those con- tractors routinely access patient data.
Increased penalties for negligent violations under the new rule can run as high as $1.5 million a year.
The 563-page “omnibus” privacy and security rule was released Jan. 17 and carries out most of the more-stringent privacy and security protections in the American Recovery and Reinvestment Act of 2009.
Deven McGraw, a lawyer who heads the Health Privacy Project at the Center for Democracy & Technology, said she was pleased with her first read of the marketing provisions, which require patients to agree in advance, or opt in, before they can be sent marketing information based on their healthcare records.
“That’s the thing that drives people nuts, that somebody else had information about their health and is using it to market to them,” McGraw said. “Congress closed that loophole and the OCR implemented it. That’s huge for consumers.” The new rule also: Prohibits the sale of patient information without a patient’s consent.
Provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.
Allows entities with patient-record breaches to judge the likelihood that the information could be accessed in determining whether they must notify individuals of the breach.
Adds patient-safety organizations, health information exchange organizations and e-prescribing gateways to a specific list of business associates liable under the Health Insurance Portability and Accountability Act rule.
HHS estimates industrywide compliance costs at $114 million to $225.4 million in the first year. The rule had been stuck in preelection limbo since it was sent to the Office of Management and Budget for final review in March.
“Much has changed in healthcare since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a news release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”