Key Provisions of the Final Privacy Rules|
Key provisions of the Privacy final rule include:
- The final rule expands in scope from the proposed version of November 1999 to cover all paper records and oral communications as well as electronic records. The proposed rule had covered only electronic records.
- Patients must receive a clear written notice of their rights, explaining how their medical information will be stored, used and disclosed. Patients will have the right to obtain, within 60 days of their request, a disclosure history listing entities that obtained information unrelated to treatment, payment or healthcare operations.
- Providers must appoint a “privacy officer” to develop and implement privacy policies within the organization and to help patients with privacy questions and concerns. Employees must receive training on the organization’s privacy policies.
- Written consent must be obtained in advance from the patient for routine transfer of information. A single signature would cover the disclosure of information for treatment and billing, but additional signatures would be needed for other uses, such as disclosure of medical information to an employer. Permission to release medical information cannot be required as a condition of treatment. For most disclosures of information, such as billing, providers may send only the minimum information necessary. For purposes of treatment, providers have full discretion in determining what information to send to other providers.
- Providers must ensure compliance with these standards by their business associates. If they know of a violation by a business associate and take no steps to correct that situation, the provider can be held responsible for violating the rules. It is expected that providers will write business associate agreements that ensure each party complies with the law.
- The final rule clarifies that employers may not access medical information for purposes unrelated to health care.
- The regulation establishes different levels of penalty for non-compliance. They range from a $100 per person fine per incident of unintentional disclosure (which can total up to $25,000 per person per year) up to a $250,000 fine and 10 years in jail for selling medical information. There is no private right of action established, thus patients do not have new grounds for suing providers under this rule.
- Patients will have the right to inspect, copy and amend information in their record. If such requests are denied, the rule permits patients to file a complaint with the health care provider or the federal government.
- The Federal rule will supersede all weaker state laws, although states are free to enact and enforce more stringent provisions. However, states may not restrict a patient’s right to access, inspect, copy and amend their health information.
- Law enforcement officers may obtain medical information only with a warrant, a subpoena, or other written legal order such as a civil investigative demand or an administrative subpoena issued by government investigators.
- HHS calculates that implementation of the rule will cost $17.6 billion to implement nationwide. However, the Department also projects savings over ten years of $29.9 billion due to the implementation of other HIPAA-mandated standards. HHS believes that, taken as a whole, the various provisions of HIPAA will eventually result in substantial savings to the health care industry.
Courtesy of WEDI