By Terry Baynes
Jan 18 (Reuters) - The U.S. Department of Health and Human
Services has issued a long-awaited new rule to bolster the
privacy protections for patients' health information.
The 563-page final rule, unveiled on Thursday, makes
numerous changes to the privacy and security protections
established under the Health Insurance Portability and
Accountability Act of 1996.
Historically, HIPAA privacy rules applied to healthcare
providers, healthcare plans and firms that process health
insurance claims. The new rule extends those regulations to
so-called "business associates," such as the vendors that
contract with the healthcare companies.
Health and Human Services said in a press release announcing
the rule that some of the largest breaches reported to the
agency have involved business associates.
Before the change, vendors' obligations to secure patient
data were governed by their contracts with the healthcare
provider or health plan. Now those companies have to answer to
the government under HIPAA. The new rule also raises the
penalties, based on the level of negligence, with a maximum of
$1.5 million per violation.
"It has the potential to expand HIPAA exponentially with
respect to who could be found to violate the law," said Adam
Greene, a lawyer at Davis Wright Tremaine and former regulator
The extension of the rule to business associates is a
significant development, said Greene, but it was mandated by the
Health Information Technology for Economic and Clinical Health
Act of 2009 and was expected by the healthcare industry.
More surprising, he said, is how the new rule changes the
standard for when a healthcare company, or its business
associate, has to provide notification when a breach has
Before the change, companies only had to report the breach
if the disclosure of information presented a significant risk of
financial, reputational or other harm to the patient. Now if
there's an unauthorized disclosure and the health information is
likely compromised, the company has to notify the patients and
the government regardless of the risk of harm. If the breach
affects more than 500 people in a certain area, the company must
also inform the local media.
HHS Office for Civil Rights Director Leon Rodriguez said in
a statement that the new rule contained the "most sweeping
changes" to the HIPAA rules since they were first implemented.
Follow us on Twitter @ReutersLegal | Like us on Facebook