The U.S. Department of Health and Human Services (HHS) has released an update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), aiming to better protect patient privacy and safeguard patients’ health information in the digital age, according to HHS Secretary Kathleen Sebelius.
The changes to HIPAA, according to HHS, are a bit consumer-focused. For instance, patients can now ask for a copy of their electronic medical record in an electronic form. Furthermore, HHS is allowing individuals the ability to tell their provider to not share information about their treatment with their health plan. There are also limits on how your health information can be used and disclosed for marketing and fundraising purposes. It also has forbidden the sale of a patients’ health information without their permission.
According to HHS, this HIPAA update will also expand the legislation to include greater focus and requirements of business associates of providers, payers, and other healthcare organizations that receive protected health information (PHI). HHS cites the fact that many of the largest data breaches in the past have been due to third-party mishap. As a result, penalties have been increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”