APA Generally Pleased With HIPAA Final Privacy Rule

APA says it is encouraged by additional patient privacy protections that the Department of Health and Human Services (HHS) has included in a final HIPAA rule released this week. The HIPAA Final Rule enables patients who pay with cash to instruct their health care providers to not make information about their treatment available to insurers, while also requiring health care providers who are HIPAA covered entities to include within their Notice of Privacy Practices (NPPs) a statement of the right of patients to be notified following a breach of their protected health information. It also allows patients to ask for a copy of their electronic medical records.

Also, the HIPAA Final Rule revises the definition of privacy “breach” and modifies elements contained within the risk-assessment test used to determine whether a breach of protected health information has occurred. HHS has removed the harm standard and altered its risk assessment to focus more objectively on the risk that a patient’s protected health information has been compromised. Notification of a breach is no longer necessary if a HIPAA covered entity or business associate demonstrates through a risk assessment that there is a low probability that the protected health information has been comproised. In addition, HHS has broadened the list of those who may be liable for HIPAA Privacy Rule violations to include subcontractors employed by a covered entity's business associates, while also setting a four-tier financial penalty structure for breaches deemed serious enough to warrant a federally imposed penalty. Fines will range from $100 to $50,000 per violation, with a $1.5 million annual cap. 

To access a short or long summary of the HIPAA Final Privacy Rule prepared by APA’s regulatory staff, click here. The text of the rule is to be published in tomorrow's Federal Register.

(image: lisa s/shutterstock.com)