The new regulations for the Omnibus Health Insurance Portability and Accountability Act, or the HIPAA rule, became effective March 26, 2013 and healthcare providers and business associates have until September 23, 2013 to comply. The new HIPAA regulations are found in the January 25, 2013 issue of the Federal Register and highlights are listed below.
Patients can now ask for copies of their electronic health record in electronic format. Also, with both paper and electronic record requests, healthcare providers (e.g. hospitals, clinics, offices, etc.) have only 30 days to fulfill the request. Previously, there was a 30-day extension for records that were stored off site or not immediately retrievable. Another new regulation is that when patients pay for services personally and in full, they can now require that healthcare providers do not share information about the services received with their health plans and insurers. The regulations also are now more restrictive on using, sharing, and selling personal information for marketing and fundraising.
Changes that healthcare providers will likely applaud include a more streamlined process to use personal health information for research purposes, and the mandate that insurance companies cannot use genetic information for coverage and cost determinations. However, this does not apply to long-term care insurance plans.
There is also a change in how to determine when a privacy breach has to be reported to the government. Until now, healthcare providers have followed the harm standard, which said a breach was reportable only if it posed a significant risk of harm to the patient’s finances or reputation. The regulations now state that any loss or inappropriate disclosure of data is presumed to be a breach unless the healthcare provider (or hospital, clinic, or business associate) can demonstrate that there is a low probability the information will be used improperly.
Business associates, such as billing and transcription service providers, are now required to comply with HIPAA, and must have safeguards and policies and procedures for keeping data secure. The penalties for noncompliance also have increased. Previously, the limit was $25,000 per violation; the penalty is now $50,000 with an annual limit of $1.5 million.