The U.S. Department of Health and Human Services (HHS) has released the final omnibus rule for the Health Insurance Portability and Accountability Act (HIPAA), calling it the most sweeping change to HIPAA since the rule was first enacted in 1996.
The 563-page rule focuses on expanding an individual’s access to his or her medical records, strengthening privacy protections, and increasing penalties for noncompliance with HIPAA.
According to HHS, some of the largest data breaches ever reported have involved business associates. For that reason, the rule extends certain requirements of the HIPAA Privacy and Security Rules to business associates of covered entities that receive protected health information.
The rule also implements and increases the tiered civil money penalty structure used in the Health Information Technology for Economic and Clinical Health (HITECH) Act. Based on the level of negligence, penalties for noncompliance have increased to a maximum penalty of $1.5 million in a calendar year.
As for individual rights to medical records, the rule prohibits providers from disclosing treatment information to a patient’s health plan if the patient pays out-of-pocket, in full. Also, individuals can receive electronic copies of their health information under the rule.
Finally, the rule clarifies that, under HIPAA and the Genetic Information Nondiscrimination Act (GINA), most health plans cannot use or disclose genetic information for underwriting purposes.
The omnibus rule is located here.