Login to OnePass | Settings | Help
Thomson Reuters News & Insight
Featured Content from WESTLAW

Legal

Main Menu

  •  
  •  

MORE Legal News

NYC agrees to speed up removal of aging light fixtures

Emerging consensus: Dodd-Frank protection extends to SOX whistle-blowers

N.Y. judges' lawsuit over health benefit cuts can move forward: judge

SEC charges South Miami with fraud over debt deals

Los Angeles voters approve limiting medical marijuana shops

Former Yahoo executive Shashi Seth to head Tribune digital

Pentagon looks to private market for health records fix

Is long-running pollution 'an event'? 3rd Circuit says yes in CAFA case

Elpida seeks court approval for sale to Micron

Career Tracker: Lawyers on the move - May 22, 2013

Healthcare records at a Virginia medical office, file photo. REUTERS Hyungwon Kang

Final HIPAA rule makes 'sweeping changes' to patient privacy

1/18/2013 COMMENTS (0)

By Terry Baynes

Jan 18 (Reuters) - The U.S. Department of Health and Human Services has issued a long-awaited new rule to bolster the privacy protections for patients' health information.

The 563-page final rule, unveiled on Thursday, makes numerous changes to the privacy and security protections established under the Health Insurance Portability and Accountability Act of 1996.

Historically, HIPAA privacy rules applied to healthcare providers, healthcare plans and firms that process health insurance claims. The new rule extends those regulations to so-called "business associates," such as the vendors that contract with the healthcare companies.

Health and Human Services said in a press release announcing the rule that some of the largest breaches reported to the agency have involved business associates.

Before the change, vendors' obligations to secure patient data were governed by their contracts with the healthcare provider or health plan. Now those companies have to answer to the government under HIPAA. The new rule also raises the penalties, based on the level of negligence, with a maximum of $1.5 million per violation.

"It has the potential to expand HIPAA exponentially with respect to who could be found to violate the law," said Adam Greene, a lawyer at Davis Wright Tremaine and former regulator at HHS.

The extension of the rule to business associates is a significant development, said Greene, but it was mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 and was expected by the healthcare industry.

More surprising, he said, is how the new rule changes the standard for when a healthcare company, or its business associate, has to provide notification when a breach has occurred.

Before the change, companies only had to report the breach if the disclosure of information presented a significant risk of financial, reputational or other harm to the patient. Now if there's an unauthorized disclosure and the health information is likely compromised, the company has to notify the patients and the government regardless of the risk of harm. If the breach affects more than 500 people in a certain area, the company must also inform the local media.

HHS Office for Civil Rights Director Leon Rodriguez said in a statement that the new rule contained the "most sweeping changes" to the HIPAA rules since they were first implemented.

Follow us on Twitter @ReutersLegal | Like us on Facebook    

Register or log in to comment.

© 2013 Thomson Reuters