The U.S. Department of Health and Human Services (HHS) said it has taken steps to strengthen healthcare privacy and security protections established under HIPAA.
According to provisions contained in the final omnibus rule, patients can ask for a copy of their electronic medical record (EMR) in an electronic form. In addition, patients paying by cash can instruct their providers not to share information about their treatment with their health plan.
The final rule also sets new limits on how information is used and disclosed for marketing and fundraising, and it prohibits the sale of an individual's health information without his or her permission.
Leon Rodriguez, director of HHS' Office for Civil Rights, said in a January 17 statement that the new omnibus rule marks the biggest changes to HIPAA's privacy and security rules since it was enacted. The changes enhance patient rights, while giving HHS greater authority to enforce HIPAA's privacy and security protections.
The rule includes increased penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation. The changes also strengthen Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by clarifying when privacy breaches must be reported to HHS. The rule has been published in the Federal Register.
