Healthcare Business News

Late News: Rule broadens legal liability

By Joseph Conn
Posted: January 19, 2013 - 12:01 am ET

The full chain of “business associates” of healthcare providers and others that fall under the reach of the HIPAA privacy and security rule are now on the legal hook to protect patient medical records or be subject to enhanced penalties.

A long-awaited update to the rule extends legal liability under federal healthcare privacy and security law not only to business associates that directly contract with hospitals, physicians and health plans—firms and organizations such as data-miners, transcription services, quality-improvement organizations, health information exchanges and the like—but also to those business associates' own “downstream” subcontractors, if those contractors routinely access patient data.

Advertisement | View Media Kit


Increased penalties for negligent violations under the new rule can run as high as $1.5 million a year.

The 563-page “omnibus” privacy and security rule was released Jan. 17 and carries out most of the more-stringent privacy and security protections in the American Recovery and Reinvestment Act of 2009.

Deven McGraw, a lawyer who heads the Health Privacy Project at the Center for Democracy & Technology, said she was pleased with her first read of the marketing provisions, which require patients to agree in advance, or opt in, before they can be sent marketing information based on their healthcare records.

“That's the thing that drives people nuts, that somebody else had information about their health and is using it to market to them,” McGraw said. “Congress closed that loophole and the OCR implemented it. That's huge for consumers.”

The new rule also:

  • Prohibits the sale of patient information without a patient's consent.
  • Provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.
  • Allows entities with patient-record breaches to judge the likelihood that the information could be accessed in determining whether they must notify individuals of the breach.
  • Adds patient-safety organizations, health information exchange organizations and e-prescribing gateways to a specific list of business associates liable under the Health Insurance Portability and Accountability Act rule.

  • HHS estimates industrywide compliance costs at $114 million to $225.4 million in the first year. The rule had been stuck in pre-election limbo since it was sent to the Office of Management and Budget for final review in March.

    “Much has changed in healthcare since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a news release. “The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

    What do you think?

    Share your opinion. Send a letter to the Editor or Post a comment below.

    Post a comment

    Loading Comments Loading comments...



    Switch to the new Modern Healthcare Daily News app

    For the best experience of on your iPad, switch to the new Modern Healthcare app — it's optimized for your device but there is no need to download.