Final Rule on HIPAA Privacy, Security Contains ‘Sweeping Changes’

Patients will now be allowed to request a copy of their electronic medical records, while health care providers who are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) must now include within their Notice of Privacy Practices (NPPs) a statement of the right of patients to be notified following any breach of unsecured protected health information.

These are just a couple of the new patient-focused changes contained in a final omnibus rule released by the Department of Health and Human Services’ (HHS) Office for Civil Rights on January 25.

Taking effect on March 26, the final rule “marks the most sweeping changes to the HIPAA [privacy and security protections] since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez in a press statement announcing release of the rule.

Other alterations to the final rule are directed at enhancing the government’s ability to enforce the law, including holding covered entities responsible for any actions of business associates that result in violation of the HIPAA privacy rule. Business associates, in turn, will be legally liable for violations of their subcontractors, regardless of the absence of a formal contract. Additionally, both business associates and their subcontractors may be held directly liable for HIPAA violations.

HHS also incorporated changes that directly affect the delivery of mental health services by covered entities who record or maintain psychotherapy notes. They are now required to include a statement in their NPPs about the authorization requirement for uses and disclosures of such information.

Psychiatric patients, too, stand to benefit from a change that enables those who pay for services with cash to instruct their providers not to make information about their treatment available to insurers. Additional privacy protections allow patients to opt out of receiving fundraising and marketing solicitations, as well as prevent private health information from being sold without express consent.

And while the final rule protects only the individually identifiable health information of deceased patients for 50 years, rather than permanently, HHS emphasizes that this specified period of protection “does not override or interfere with state or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers.”

“The rule is very deferential to clinicians and patients,” said Julie Clements, J.D., deputy director for regulatory affairs in APA’s Department of Government Relations (DGR). “We appreciate the recognition that a clinician’s professional judgment can supersede the rule’s 50-year protection of a deceased patient’s personal health information.” The final rule also contains new language clarifying the definition of a privacy “breach” and modifying elements contained within the risk-assessment test used to determine whether a breach of protected health information has occurred.

According to a summary of the rule by DGR, any “impermissible use or disclosure of protected health information” will now be presumed to constitute a breach—unless a covered entity or business associate can demonstrate that there is a “low probability” that protected health information has been compromised.

This objective assessment of risk replaces the interim final rule’s requirement that covered entities and their business associates prove no significant risk of harm to a patient whose confidential information has been disclosed.

For those breaches deemed serious enough to warrant a federally imposed penalty, HHS has established a four-tier penalty structure. Fines will range from $100 to $50,000 per violation, with a $1.5 million cap.

Covered entities and business associates must be in compliance with the requirements of the final rule by September 23. Between now and then, all affected parties will have to modify their NPPs and patient authorization forms, update business associate agreements, and revise HIPAA policies and procedures, including those related to breach notification. ■