The U.S. Department of Health & Human Services (“DHHS”) has issued a Final Rule amending HIPAA to strengthen privacy and security protections for individual health information (“PHI”). In short, HIPAA now has teeth for enforcement. All covered entities (which generally translates into medical care providers) who provide patients with access to health records via electronic means must now meet certain technical requirements for the storage and communication of PHI. The new rule also expands patient’s right to access electronic PHI and increases the notice a medical care provider gives regarding privacy practices. The new rule also makes clear that business associates of covered entities are directly liable for compliance with HIPAA’s privacy and security requirements. Additionally, the new rule adopts the additional 2009 amendments (known as the “HITECH Act”), enhancing the enforcement provisions of HIPAA, such as provisions regarding noncompliance with HIPAA’s security and privacy rules, a tiered civil penalty system for failure to comply, and requisite notice for potential breaches of PHI privacy and security.
The DHHS’s Final Rule can be found here.