New OCR Rule Strengthens HIPAA Requirements
Yesterday the Office for Civil Rights (“OCR”) released a Proposed Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. OCR issued this Proposed Rule pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Proposed Rule will not be published in the Federal Register until July 14, 2010, and there will be 60 days from that date to comment.
More specifically, this Proposed Rule modifies and strengthens the HIPAA Privacy Rule, Security Rule, and Enforcement Rule as well as the penalties and investigation provisions. The most notable changes include the following:
- The requirements of the Privacy Rule and Security Rule will apply to business associates in the same manner they currently apply to covered entities.
- Subcontractors of business associates will be considered business associates, and the business associate must obtain “satisfactory assurances” through a contract or other arrangement that the subcontractor will comply with the applicable privacy and security requirements.
- There will be new limitations on the use and disclosure of protected health information (“PHI”) in marketing and fundraising, including a requirement that individuals be given opportunities to opt out of receiving marketing or fundraising materials without any impact on their future treatment.
- Covered entities and business associates will be prohibited from selling an individual’s PHI without that individual’s authorization, and covered entities will not be allowed to coerce patients into authorization by conditioning treatment, payment, enrollment, or eligibility for benefits on authorization.
- The Proposed Rule expands patients’ rights by allowing patients to request that a covered entity restrict uses or disclosures of their PHI, and by giving patients greater access to copies of their electronic health records.
- Covered entities’ Notice of Privacy Practices given to patients must include additional information, such as the authorization requirements described above.
- Penalties for violations of HIPAA privacy and security requirements will be increased to $1.5 million per calendar year for violations of the same requirement or prohibition.
- The Proposed Rule defines the terms “reasonable cause,” “reasonable diligence,” and "willful neglect,” which provide the basis for the various categories of liability under the Enforcement Rule.
- Covered entities will have certain identified responsibilities during complaint investigations and compliance reviews.
