After years of industry anticipation, the Department of Health and Human Services (HHS) today released a display copy of the Health Information Technology for Economic and Clinical Health (HITECH) Act modifications to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. These modifications will have far-reaching implications for every patient’s health records, and impact several HIM work flow processes.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The omnibus final rule, which is 563 pages long, enhances patient privacy protections, and provides patients new rights to access health records. The final rule:

  • Modifies HIPAA’s privacy, security, and enforcement rules to implement statutory amendments under the HITECH Act that strengthen the privacy and security of patient health information
  • Modifies the breach notification rule first issued under HITECH to address public comments received on the interim rule. Specifically, it replaces the original rule’s “risk of harm” threshold with “a more objective standard,” according to the rule’s display copy
  • Strengthens the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA). Prohibits most health plans from using or disclosing genetic information for underwriting purposes
  • Makes business associates of HIPAA-covered entities directly liable for compliance with HIPAA requirements
  • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization
  • Allows patients the right to restrict insurance companies from accessing portions of their medical records if they paid for the corresponding treatment out of their own pocket

The right to restrict a portion of one’s medical records if treatment is paid for out of pocket is of particular concern to HIM professionals. Many EHR systems currently don’t have the capacity to single out areas of a record and restrict access to specific individuals, like payers. HIM professionals will have to work with their vendors to develop a way to honor a patient request to restrict only a portion of his or her medical records.

 “Some other ‘bolt-on’ tracking system will need to be utilized to track and remind staff of a restriction on file,” said AHIMA’s Director of HIM Solutions Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA.

The effective date of the final rule is March 26, 2013. The compliance date for HIPAA-covered entities and business associates is September 23, 2013.

“The final rule stands to change the practice of healthcare privacy and security as we know it,” said AHIMA’s CEO Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA. “It is a new era and it begins today. AHIMA will continue to lead the way in helping health information management professionals modify organizational policies and procedures to be compliant with the new rules.”

Analysis of the modifications will be forthcoming on the Journal of AHIMA website.  A display copy of the rule can be viewed on the Federal Register here.