What Are the Sweeping Changes to HIPAA in 2013 and What They Mean for Patients

In 2013, the Health Insurance Portability and Accountability Act (HIPAA) underwent significant changes that impact patients' rights and healthcare providers' responsibilities.

The HIPAA Omnibus Rule, finalized in January 2013, broadened the definition of protected health information (PHI) to include electronic health records, genetic information, and other sensitive data.

Patients now have the right to request electronic copies of their medical records, a change that allows them to more easily share their health information with other providers.

These changes also require covered entities to implement new security measures to safeguard PHI from unauthorized access, use, or disclosure.

The new HIPAA rule changes are a game-changer for healthcare providers and organizations.

One of the most significant changes is the expansion of the definition of "personal health information" to include genetic information, which is now protected under HIPAA.

The rule also introduces a new requirement for healthcare providers to obtain a patient's authorization before disclosing their protected health information to a third party.

Covered entities are now required to provide patients with a notice of privacy practices, which must include information about how their health information will be used and disclosed.

The new rule also allows patients to request restrictions on the disclosure of their protected health information.

Patients can also now request a copy of their medical records in an electronic format, which can be sent directly to them.

The new HIPAA rule changes aim to increase transparency and patient control over their health information.

The Omnibus Rule expands an individual's right to receive an electronic copy of their PHI.

In 2013, the Omnibus Rule made it easier for patients to access their medical records by requiring providers to give them an electronic copy if requested.

Providers are now required to follow patient requests that their PHI not be disclosed to a health plan for payment or healthcare operations purposes if the disclosure is not required by law and relates solely to items or services for which the patient paid out of pocket in full.

The Omnibus Rule expanded the definition of a "business associate" to include all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity. This change makes clear that companies storing PHI on behalf of healthcare providers and plans are business associates.

Business associates are now directly subject to most provisions of the HIPAA Security Rule, as well as certain provisions of the Privacy Rule. This means they must meet the same security and privacy standards as covered entities.

The definition of a business associate also includes relevant subcontractors, ensuring a covered entity's or business associate's security requirements encompass outsourced operations. This means that business associates must also ensure their subcontractors meet the necessary security standards.

Covered entities and business associates must now take responsibility for the actions of their subcontractors, and ensure they meet the necessary security and privacy standards. This adds an extra layer of accountability to the healthcare industry.

The Omnibus Rule tightened marketing restrictions, prohibiting the use or disclosure of PHI for marketing purposes without an individual's authorization if the covered entity is compensated by a third party.

Covered entities may no longer use PHI in most marketing activities without patient authorization if they receive compensation from a third party, such as a pharmaceutical company promoting its own product.

In-kind benefits, like brochures supplied by a third party, are not considered prohibited remuneration.

The Omnibus Rule permits payments for communications about drugs or biologics that patients have already been prescribed, as long as the payment reasonably relates to the cost of the communication.

The sale of PHI is generally prohibited without individual authorization, but certain exceptions are allowed, including public health purposes and research with a limited, cost-based fee.

Marketing restrictions can be tricky to navigate. The Privacy Rule generally prohibited the use or disclosure of PHI for marketing purposes without an individual's authorization.

Exceptions did exist, but the Omnibus Rule tightened this approach, making it harder for covered entities to use PHI in marketing activities without patient authorization. This is especially true if the covered entity is compensated by a third party, like a pharmaceutical company, to promote their own product.

In-kind benefits, like brochures supplied by a third party, are not considered prohibited remuneration. This means that covered entities can accept these benefits without violating the rules.

A provision in HITECH allows third-party-sponsored communications to patients regarding drugs or biologics they've already been prescribed. This includes generic substitutes.

The Omnibus Rule permits payments for these communications, such as a pharmaceutical company paying a pharmacy for refill reminders, as long as the payment reasonably relates to the cost of the communication.

The sale of PHI is heavily restricted under HITECH's requirements. The Omnibus Rule generally prohibits the sale of PHI without individual authorization.

For example, selling PHI for certain public health purposes is allowed, but there's no restriction on the price. This exception applies to sales without any limitations on what the buyer can charge.

In some cases, research organizations can purchase PHI for use in studies, but they must only pay a fee that covers the cost to prepare and transmit the data. This fee cannot be used to make a profit.

The Omnibus Rule has made a significant change to the way covered entities handle breach notices. HITECH required that covered entities notify individuals whose unsecured PHI has been disclosed as a result of a privacy or security breach.

This rule replaces the previous "risk of harm" breach standard with an objective requirement that covered entities treat improper disclosures of PHI as breaches unless certain conditions exist.

Covered entities must now conduct a four-part risk assessment to determine if a breach has occurred. This assessment includes considering whether the data were actually acquired or viewed by an unauthorized person.

The extent of mitigation accomplished is also a key factor in this assessment.

The implementation of the Omnibus Rule was a significant undertaking for covered entities and their business associates. They had until September 23, 2013, to comply with its provisions.

Compliance was not optional, but many organizations were able to adapt to the new requirements. Under certain circumstances, covered entities were permitted up to one additional year to amend existing business associate contracts.

This extra time was a welcome relief for some organizations, but it was essential to act quickly to avoid any potential penalties.

The Omnibus Rule has made it easier for researchers to get consent from participants in studies involving personal health information (PHI). This is a big deal, as it simplifies the process and reduces confusion.

The Rule now allows researchers to use a single consent form for studies, which is less overwhelming for participants. This is a change from the past, when multiple forms were required.

Researchers can now also get "prospective consent" for future studies, which means they can get consent for a range of potential research projects at once. This is helpful when the exact research goals aren't clear at the start of a study.

The Omnibus Rule has significantly tightened HIPAA's requirements for business associates, making it clear that they must comply with its restrictions and can be held directly accountable for failure to do so.

This change has widened the universe of entities covered by the law to include health information exchange networks and personal health records (PHRs) offered through a covered entity's electronic health record.

The Omnibus Rule also strengthens individuals' control over their own data, including the right to restrict disclosure of PHI for purposes of carrying out payment or health care operations.

However, HIPAA continues to reflect the inherent tension between public health and individual rights, requiring access to data for surveillance and response while also protecting personal health information.

The Omnibus Rule retains HIPAA's basic structure in this regard, ensuring the availability of PHI for public health purposes and exempting public health purposes from its general proscription against the sale of PHI.

In fact, covered entities are not restricted to selling PHI for public health purposes at cost, which could potentially lead to increased access to data for research and other purposes.

Despite these changes, critical questions remain regarding whether the Omnibus Rule has adequately addressed concerns about individual rights and public trust in health information.

Research has been simplified under the Omnibus Rule, allowing researchers to use a single consent form for studies involving Protected Health Information (PHI), rather than multiple forms.

The Omnibus Rule offers a means for researchers to obtain prospective consent for future studies, which is a change from previous interpretations of the Privacy Rule.

Researchers can now use authorizations that are broad enough to encompass a range of future research projects, such as analyzing a biomarker or a genetic association.

This change is beneficial because it allows researchers to plan for future research needs without having to obtain new consent from participants.

Individuals receiving prospective consent will receive an adequate description of the scope of potential future research, enabling them to reasonably anticipate how their PHI might be used.