New HIPAA rules start to have impact on September 23, 2013
The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions (September 23, 2013).
The federal Department of Health and Human Services, in response to a law passed by Congress in 2009, announced modifications to the famous HIPAA rules. As you may know, HIPAA (the Health Insurance Portability and Accountability Act) was passed by Congress under President Clinton. However, the regulations that put HIPAA into action were issued several years later under President Bush. Part of the HIPAA law dealt with privacy of medical records, with the focus on emergence of easily sharable electronic records.
The HIPAA confidentiality rules which resulted from that focus often seemed frustrating. They blocked distribution of personal medical information to strangers, and they also made it difficult to share personal medical information with spouses and family members. The biggest contradiction in the regulations, some feel, is that personal medical information can be freely shared within a medical group and its contractors, but cannot be shared by the patient’s family without written consent.
The updated regulations were first announced to the public in 2010, were subject to public comment and revisions, and were finalized as of March 26, 2013. Those affected by the new rules were given 180 days to comply, which means the new rules start to have impact on September 23, 2013. What are the new enhancements to the HIPAA rules? Among other things, the new rules:
1. Expand confidentially requirements to cover “business associates” of the medical providers and health plans. This would include, for instance, companies that handle claims processing and medical billing and law firms that represent hospitals and nursing homes. Adding these entities, which may have access to your medical records, protects seniors (and others) from these back-channel privacy breaches.
2. Limit ways in which your private medical information can be used for marketing purposes, can be used for fundraising purposes, or can be sold. If a care provider wants to market products to you, wants to solicit you for charitable contributions or plans to sell your data, you must be informed in advance and must have the option to opt out of receiving those communications.
3. Require that when your medical records are kept in electronic format by the care provider, you can request a copy in electronic format. If you want a copy on a USB drive or a disk, you must provide the drive or disk or must pay the care provider for that unit. This should, however, make it faster and easier to obtain copies of your medical records.
4. Grant you the right, when you pay cash for a medical procedure, to forbid your care provider from sharing information about the medical procedure with your health insurance plan. If you want to keep a treatment confidential, you have that right if you pay in cash.
As has been true for a decade, you should have a legally binding HIPAA authorization as part of your Advance Medical Directives. Talk to your elder law attorney to be sure that your Medical Power of Attorney properly addresses HIPAA concerns. After the new rules take effect, you have additional rights that you can exercise when appropriate.
More helpful info