Jan. 18 — The U.S. Department of Health and Human Services (HHS) released its final omnibus rule calling for expanded patient privacy protections and new levels of security safeguards for patient health information, marking “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” as one HHS director noted.

Although security requirements to date under HIPAA have largely focused on healthcare providers, health plans, and other entities that process health insurance claims, the latest rule expands many of the conditions for safeguards to business associates receiving personal health information, such as contractors and subcontractors. 

Other changes of note: Penalties are increased for noncompliance based on negligence level, with a maximum of $1.5 million per violation. Providers received clarification on timing for reporting breaches of unsecured health information to HHS. Cash-paying patients can instruct their providers not to share information about their treatment with their health plan.

See the final rule that will appear in the Jan. 25 Federal Register.  

Publication Date: Friday, January 18, 2013