HHS Releases HIPAA Privacy and Security Update Final Rule

After years of industry anticipation, the Department of Health and Human Services (HHS) today released a display copy of the Health Information Technology for Economic and Clinical Health (HITECH) Act modifications to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. These modifications will have far-reaching implications for every patient’s health records, and impact several HIM work flow processes.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The omnibus final rule, which is 563 pages long, enhances patient privacy protections, and provides patients new rights to access health records. The final rule:

  • Modifies HIPAA’s privacy, security, and enforcement rules to implement statutory amendments under the HITECH Act that strengthen the privacy and security of patient health information
  • Modifies the breach notification rule first issued under HITECH to address public comments received on the interim rule. Specifically, it replaces the original rule’s “risk of harm” threshold with “a more objective standard,” according to the rule’s display copy
  • Strengthens the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA). Prohibits most health plans from using or disclosing genetic information for underwriting purposes
  • Makes business associates of HIPAA-covered entities directly liable for compliance with HIPAA requirements
  • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization
  • Allows patients the right to restrict insurance companies from accessing portions of their medical records if they paid for the corresponding treatment out of their own pocket

The right to restrict a portion of one’s medical records if treatment is paid for out of pocket is of particular concern to HIM professionals. Many EHR systems currently don’t have the capacity to single out areas of a record and restrict access to specific individuals, like payers. HIM professionals will have to work with their vendors to develop a way to honor a patient request to restrict only a portion of his or her medical records.

 “Some other ‘bolt-on’ tracking system will need to be utilized to track and remind staff of a restriction on file,” said AHIMA’s Director of HIM Solutions Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA.

The effective date of the final rule is March 26, 2013. The compliance date for HIPAA-covered entities and business associates is September 23, 2013.

“The final rule stands to change the practice of healthcare privacy and security as we know it,” said AHIMA’s CEO Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA. “It is a new era and it begins today. AHIMA will continue to lead the way in helping health information management professionals modify organizational policies and procedures to be compliant with the new rules.”

Analysis of the modifications will be forthcoming on the Journal of AHIMA website.  A display copy of the rule can be viewed on the Federal Register here.

1 Comment

  1. The HIPAA privacy laws are necessary to keep individual information confidential, which is not in dispute. However, the stated intention of the law is not to create barriers between the patient and his/her doctor, but it is. The law states, for example, that the patient has the right to have their family and friends have access to their medical information and that there is no requirement for the medical provider to have any documentation, although it is permitted.
    The way it is being implemented in our area however is to shut down all undocumented communication between the patient, friends and family and the provider in fear of being accused of not protecting the privacy of the health information.
    The bottom line is the rule has come between the patient and the doctor, which I trust was not the intended effect.
    I realize this is strictly anecdotal information, but as I have been subjected to this shut down of communication in my own life I have found that almost every person I have discussed this with at work and church have a similar disgust with the way things work in reality. Husbands and wives cannot help each other with medical issues. Parents have no right to be told about their children’s medical conditions when they reach a certain age. Children of older adults have to have extraordinary legal documentation to help with the medical care of elderly parents. Personnel at clinics are afraid to talk to anyone but the patient for fear they will get crossways with HIPAA and be terminated because they violated someone’s privacy

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!