Patients have more rights to records under final HIPAA rule

These are some of the key changes in the Health Insurance Portability and Accountability Act (HIPAA) final rule released recently by the Department of Health and Human Services (HHS):

  • Business associates and subcontractors of business associates will have direct liability for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule.
  • The definition of a business associate has been broadened to include companies that only store or maintain protected health information (PHI).
  • The requirements for providing notice of privacy practices were strengthened.
  • Patients will have more rights to receive electronic copies of their health information.
  • Patients will have more ability to restrict the disclosure of health information to a health plan for treatment for which the individual has paid out-of-pocket in full.
  • Limits on the use and disclosure of PHI for marketing and fundraising purposes were expanded.
  • PHI may not be sold without individual authorization.
  • The “harm” threshold in the Breach Notification Interim Final Rule was replaced with a more objective standard. The new rule eliminates the risk of harm threshold and provides instead that the unauthorized acquisition, access, use, or disclosure of protected health information is presumed to be a data breach unless a covered entity or business associate demonstrates that there is a low probability that the protected health information (PHI) was compromised.
  • There are more protections for genetic information.
  • The final rule streamlines individuals’ ability to authorize the use of their health information for research purposes.
  • The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school.
  • HIPAA will no longer provide privacy protections for a decedent’s health information to the same extent and in the same manner as living individuals. Under the final rule, the health information of individuals who have been deceased for more than 50 years will no longer be protected by the Privacy Rule at all. In addition, covered entities will be permitted to disclose PHI to a family member or other individual involved in the care of a decedent, unless this disclosure is inconsistent with a prior expressed preference of the decedent.