If knowledge--including patient data--is power, then the U.S. Department of Health & Human Services has sent a message to providers and other organizations charged with handling and protecting that data when it published the HIPAA omnibus final rule: With great power comes great responsibility.
Among the more notable changes to the rule, is a new tiered penalty structure for covered entities that violate the law. It increases fines to as much as $50,000 for "willful neglect" of information without correction, and $1.5 million for multiple violations of identical provisions.
"Congress was very clear that they expect the law to be enforced in a more aggressive way," Marcy Wilder, director of the global privacy and information management practice for Washington, D.C.-based law firm Hogan Lovells, told FierceHealthIT in an exclusive interview for this special report.
"They dramatically increased the ability of HHS to impose monetary penalties. They also said that they expect HHS, when there is willful neglect involved in a violation, will not focus on informal resolution needs, but rather will take formal action," said Wilder, former Deputy General Counsel for HHS, who served as the lead attorney in the development of HIPAA privacy regulations.
Monetary penalties aside, four areas of the rule that will have a significant impact on providers are:
- A change that makes business associates and their subcontractors liable for breaches of personal health information
- An enhanced right for patients to obtain electronic copies of their records
- An enhanced right for individuals to request restrictions regarding disclosure of their PHI
- A change to the breach notification rule in which any disclosure of PHI is presumed to be a breach
Click on the links below for a drill-down on each of these four areas.