Many consider the several data breaches in hospitals across the nation clear indications that more should be done to ensure the security and protection of EHRs. In recent months, some breaches, like those at the University of Virginia’s Medical/Continuum Home Infusion Center, Alere Home Monitoring in Waltham, Mass., and Kaiser Permanente (as reported by healthcareinfoseurity.com) – pose a major concern for all.
The alarming rate of breaches and the recognition that HIPAA, enacted 15 years ago, must be updated, signal it is time to make changes to ensure patients’ medical data is being protected. Accordingly, the HHS has been pushed to move and update HIPAA regulations. The CMS announced changes to HIPAA in a press release revealed last Thursday, Jan. 17.
Some of the changes to the HIPAA regulations include the following:
- All business associates (contractors, subcontractors, etc.) now face increased penalties associated with data breaches. Any breach due to noncompliance (based on the level of negligence) holds a maximum penalty of $1.5 million per violation.
- Patients have the right to ask for a copy of their EHRs in an electronic form.
- When they pay out of pocket, patients have the right to ask that providers not share information about their treatment with their health plan.
- New limits regulate the use of patient information for marketing and fundraising purposes, as well as prohibit the sale of individual health information without patient permission or consent.
- A rule streamlines individuals’ abilities to authorize the use of their health information for research purposes, making it easier for parents and others to give permission to share proof of a child’s immunization with a school. The rule gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
- Lastly, a rule clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes. This was in relation to the statutory changes under the HITECH Act, and the Genetic Information Nondiscrimination Act of 2008 (GINA).
These changes will require business associates to reevaluate their security practices and ensure that proper safeguards are in place to protect electronic data. In addition, hospitals and healthcare providers will need to make changes in their systems to track authorizations and ensure that their data usage and management associated with marketing and research are in full compliance with the new rules.
See ten more grains of wisdom from the final HIPAA omnibus rule here.