HHS's Forwards New Rule to Protect Patient Privacy, Secures Health Information

The U.S. Department of Health and Human Services (HHS) has unveiled the final omnibus rule to strengthen the privacy and security protections for health information that was established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to HHS, contractors, subcontractors and other business associates of healthcare entities that process health insurance claims will now be liable for the protection of private patient information under the updated rule. In addition, monetary penalties for noncompliance with the rule have increased, with a maximum penalty of $1.5 million per violation.

It also arranges how new rules for how patient information can be used for marketing and fundraising purposes, and ensures that such information cannot be sold without a patient's permission. The changes in the final rulemaking offer the public with increased protection and control of personal health information.

"This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," HHS Office for Civil Rights Director Leon Rodriguez said in a statement. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee, said this is a very positive development for healthcare.

 “Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

According to the sources, the new rule will come in to affect from March 26 this year, with a compliance date of September 21.