Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
Menu
Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
(September 30, 2013) – The Department of Health and Human Services (HHS) published amended rules applicable to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in January 2013. As explained by the Secretary of HHS, healthcare has experienced significant changes since HIPAA was enacted in 1996. The implementation of electronic medical records is just one of those changes. The new HIPAA regulations are designed to provide patients with better privacy protection, and additional rights not included in the original HIPAA rules. The new rules became effective on Sept. 23, 2013.
The HIPAA regulation changes include new patient rights. Patients now have a right to request electronic copies of their records if their health care provider maintains records in electronic form. Patients also have the right to restrict the disclosure of some of their protected health information to a health plan when the patient has paid out of pocket in full for their care.
Every covered entity must modify their Notice of Patient Privacy Rights documentation to include the additional patient rights included in the new HIPAA regulations. Earlier this month, the HHS Office of Civil Rights published model Notices of Privacy Practices on its website to assist covered entities and health plans with complying with the new requirements.
According to HHS, several of the largest HIPAA breaches have involved business associates. Consequently, the new HIPAA regulations also include significantly increased requirements for business associates and the subcontractors of those business associates. A subcontractor is any entity that does not have a direct contractual relationship with a covered entity, but still receives, maintains, transmits or creates protected health information as part of their work for a business associate of a covered entity. Under the new regulations, subcontractors are included in the definition of “business associate” and also subject to the same criminal and civil sanctions applicable to covered entities and business associates for violations of HIPAA.
The new HIPAA regulations also require each covered entity to take action to cure a breach or end a HIPAA violation by its business associate if the covered entity knows of a pattern or practice of its business associate that violates HIPAA. Covered entities will need to take a more active role in monitoring the activities of their business associates to cure breaches and end HIPAA violations.
The new HIPAA rules also include increased penalties required by the HITECH Act. Now there are four categories of violations based upon the level of culpability involved in the breach. There are corresponding penalties for each category of violation with significantly increased minimum penalties. The maximum penalty amount of $1.5 million annually. As we have discussed in previous posts, the actual cost of violating HIPAA includes numerous other costs in addition to the penalty imposed by HHS. Those other costs include investigation costs, notice to patients, and the purchase identity protection coverage for the affected patients.
The new HIPAA regulations strengthen the limitations on the use and disclosure of protected health information (PHI) by covered entities and business associates for marketing and fundraising purposes. The new HIPAA regulations also prohibit the sale of PHI by covered entities or business associates without the consent of the patient.
Every covered entity should ensure that its Notice of Patient Privacy documentation has been reviewed and revised as necessary to comply with the new regulations. Covered entities and business associates should ensure that all their business associate agreements are compliant with the new HIPAA regulations.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.
Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL 32714 Telephone: (407) 331-6620
By Appointment • 37 N. Orange Avenue, Suite 500, Orlando, FL 32801 Telephone: (888) 331-6620
By Appointment • 201 E. Government Street, Pensacola, FL 32502 Telephone: (850) 439-1001 Telefax: (407) 331-3030
By Appointment: 201 St. Charles Avenue, Suite 2500, New Orleans, LA 70170
By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.
Available in the following states: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming
Disclaimer | Terms of Representation
“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.