When it came time for review and changes in the 2013 Omnibus Rulemaking, multiple changes were made that impact the HIPAA Privacy Rule. All professionals deemed responsible for the protection of patient information under HIPAA must maintain an understanding of current HIPAA regulations and keep an eye out for proposed and enacted changes that will affect compliance.
Changes to the Genetic Information Nondiscrimination Act
Genetic information is from here on out classified as “protected health information” and is therefore included under the umbrella of HIPAA protection under the Privacy Rule. There are additionally further restrictions placed on the use of genetic information by the Department of Health and Human Services, ensuring that all health plans restrict genetic information use.
Health plans are prohibited from using genetic information to determine a person’s premium, eligibility, or other services associated with that person’s coverage.
Privacy Policy Changes
In years past, the privacy policy involving HIPAA was only required to list the uses for data that were exempt or not allowed under the Privacy Rule if that organization was going to engage in those activities. Now, privacy policies must tell users that most uses and disclosures of psychotherapy notes and protected health information for marketing and sale purposes must require authorization from the patient. Health plans are also required to post the new privacy policies on their website and send out physical copies with their next annual mailing.
Privacy policies must be updated and distributed to relevant users in order to remain in compliance with new HIPAA regulations.
Immunization Information
New rules also required that providers and covered entities are only allowed to give schools immunization information with verbal permission from the individual (or that individual’s guardian).
The provider is also responsible for recording this authorization in their own records, and verbal phone authorizations are allowed.
Broader Changes to HIPAA
The privacy rule was not the only aspect of HIPAA that received a review and upgrade during the most recent session. The overall changes made to the act involved giving individuals new rights with regard to their health information, enhancing privacy protections for patients, and to allow the government to play a bigger role in actually enforcing the law. Patients will now be allowed to request electronic versions of their medical records, so organizations that are not currently equipped to manage such requests may have to invest time and resources into becoming prepared. Other modifications included:
- Changes to the HIPAA Enforcement Rule for an increase in the tiered civil money penalty structure outlined in the HITECH Act.
- Final changes to the Security and Enforcement Rules required under the HITECH Act.
- A final rule for Breach Notification for Unsecured Protected Health Information under HITECH by adding a more objective standard when compared with the previous harm threshold.
- Alterations to the Genetic Information Nondiscrimination Act to forbid health plans from using genetic information to underwrite or make changes in the policies of their patients.
Sales of Protected Health Information
Now, sales of protected health information must have an “opt-in” approach, (as opposed to opt-out) for each individual authorization. Benefits, treatment, and payment may not be conditioned on whether this information has been authorized or not by the patient. Clinical trials are an exception to this rule. Sales are determined to be information in exchange for money, with several exceptions: limited data set sharing for public health purposes, mergers and acquisitions, research purposes, and those exchanges to or by a business associate with the covered entity or affiliated groups.
Organizations impacted by HIPAA are required to add this “opt-in” approach in order to be in compliance with updated HIPAA regulations.
