The HIPAA Comprehensive Regulation was printed on Jan 25, 2013, by the Division of Health and Human Services (HHS) like an improvement to the Health Insurance Portability and Accountability Act (HIPAA). The latest rule came into effect on March 26, 2013, and changes current HIPAA rules to provide greater safety of patient data; spreading the reach of HIPAA as well as changing rules to conform them with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HIPAA Comprehensive Rule has several changes, though it introduces 4 new regulations:
- The HIPAA Security, Privacy, and Enforcement rules have been upgraded as follows: 1 Responsibility for HIPAA compliance expanded to include subcontractors and business associates
1.2 Sale of PHI barred without approval and the use of PHI for fundraising or marketing has been prohibited.
- Greater powers for patients letting them access to their electronic medical as well as health data, while limiting info which should be revealed to a health plan if the patient has paid cure fully.
- Notices of Privacy Practices should be modified by HIPAA-covered companies
1.5 Clarifies the process of identifying security and privacy breaches and when they are reportable by business associates as well as other covered entities.
- Launch of a ranked structure of fiscal fines under HITECH.
- HITECH violation notification regulations have been clarified to assist healthcare companies assess whether a security violation should be informed.
- HIPAA Secrecy Rule changed as per the Genetic Information Nondiscrimination Act, (GINA) as suggested in Oct 2009, to avoid the use or disclosure of genetic info with the aim of underwriting health plans.
New Fines for HIPAA Security Violations
Breach of the Health Insurance Portability and Accountability Act (HIPAA) will see a fiscal fine incurred of between $100 and $50,000 for each separate breach if it can be proven the business has acted with a sensible amount of carefulness and the violation happened without the awareness of the entity involved.
In the event of a rule breach due to sensible reason the fine increases to between $1,000 and $50,000 for each breach, provided there was no intentional negligence. In instances of deliberate carelessness the fine will be between $10,000 and $50,000 for each offense. A minimum penalty of $50,000 for each breach up to a maximum yearly fine of $1.5 million for each year will apply in cases of deliberate negligence where there was no timely reaction to tackle a security infringement.
Security, Privacy and Enforcement Regulations for Violations
A violation notice should be issued unless a business associate or the organization can establish with the rational conviction that no PHI has been disclosed to – or accessed by – an unauthorized person. Proof should also be provided to reinforce this. Business associates should decide the type of any data accessed, whether private identifiers have been seen, who the PHI was moved to, the danger to patients and whether that danger has been lessened.
Who Does the Comprehensive Rule Affect?
Healthcare professionals and physicians who store or transmit electronic health info together with any business associates who transmit, receive or maintain PHI data files are covered under HIPAA, and for that reason, the latest Comprehensive Rule will be applicable.
Business partners or any entity that provides data transmission services or requires access to PHI or offers a personal health record for a HIPAA-covered entity or is a subcontractor with access to PHI should also abide by the Comprehensive Rule.
The Comprehensive Rule creates a material change and therefore needs an update of the Notifications of Secrecy Protection by covered entities. Healthcare companies as well as other covered entities have until Sept 23, 2013, to modernize NPP’s and apply the latest rules. Following this day a failure to apply the changes will be considered non-compliance and is expected to incur fiscal fines.