This week marked the effective date for some new privacy and security rules that were released by the Department of Health and Human Services (HHS) in January. The rules, mostly amendments to the 1996 HIPAA law, took effect on Tuesday, but most have a 180 day compliance window built in.
According to Modern Healthcare, the new rules expand HIPAA privacy and security coverage, and direct liability for violations to business associates of HIPAA “covered entities.” Those contractors might include vendors of remote-hosted EHRs, office-based physicians, or firms providing hospitals with clinical and financial data analytics. In addition to healthcare providers, HIPAA covered entities include claims clearinghouses and insurance plans.
Another major change under the rule involves the policies and technologies needed to comply with a patient consent management provision. Under powers given to HHS under the American Recovery and Reinvestment Act, a patient who pays out-of-pocket for treatment can ask a provider not to share a record of that treatment with the patient's health insurance plan. Providers must comply with that request, presenting a challenge to EHR systems and staff training.
To tackle this issue, several private sector developers as well as the Veterans Affairs Department and other federal agencies, and others have come up with a new software system. This system is capable of tagging entire patient records or pieces of them to block their exchange pursuant to this new rule as well as other federal and state privacy laws.