New rule: Hospital, physician partners face penalties for privacy leaks

HHS in its long-awaited privacy rule released today expanded liability of business associates of hospitals, physicians and other HIPAA-covered entities if they release data in ways that violate patient privacy.

Called the “omnibus” privacy and security rule because of its broad reach, it updates earlier Health Insurance Portability and Accountability Act rules with more stringent privacy and security measures passed under the American Recovery and Reinvestment Act of 2009.

“Much has changed in healthcare since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius said in a news release coordinated with the posting of the 563-page rule in the Federal Register. “The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider's healthcare data-miners and health information technology service providers.

It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said Leon Rodriguez, director of the Office for Civil Rights at HHS, also in the news release. The office is the lead privacy and security enforcement agency under HIPAA.

“These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates,” Rodriguez said.

Official publication of the new rule in the Federal Register is scheduled Jan. 25. Its effective date is March 26 with a compliance date 180 days later, or Sept. 21, 2013.