Increased penalties for negligent violations under the new rule can run as high as $1.5 million a year.
The 563-page “omnibus” privacy and security rule was released Jan. 17 and carries out most of the more-stringent privacy and security protections in the American Recovery and Reinvestment Act of 2009.
Deven McGraw, a lawyer who heads the Health Privacy Project at the Center for Democracy & Technology, said she was pleased with her first read of the marketing provisions, which require patients to agree in advance, or opt in, before they can be sent marketing information based on their healthcare records.
“That's the thing that drives people nuts, that somebody else had information about their health and is using it to market to them,” McGraw said. “Congress closed that loophole and the OCR implemented it. That's huge for consumers.”
The new rule also:Prohibits the sale of patient information without a patient's consent.Provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.Allows entities with patient-record breaches to judge the likelihood that the information could be accessed in determining whether they must notify individuals of the breach.Adds patient-safety organizations, health information exchange organizations and e-prescribing gateways to a specific list of business associates liable under the Health Insurance Portability and Accountability Act rule.