Under HIPAA and ARRA, physicians are required to control the ways in which they use and disclose patients' protected health information.
The U.S. Department of Health & Human Services' (HHS) Office of Civil Rights oversees compliance with the HIPAA Privacy requirements. In January 2013, OCR published an omnibus final rule that covers changes to the HIPAA rule as required by ARRA; final regulations on notifications associated with the breach of patient information that has not been encrypted; modifications to the HIPAA rule regarding privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act (GINA); and additional changes to the HIPAA privacy, security, and enforcement rules. The compliance date for the final Omnibus rule was effective September 23, 2013.
The AMA developed a plain-English toolkit, "HIPAA privacy and security toolkit: Helping your practice meet new compliance requirements," which walks physicians through what is needed to comply with the changes to HIPAA privacy and security rules that physicians are required to have met by the September 23, 2013 compliance deadline. Key provisions in the HIPAA omnibus rule cover:
- Extending the applicability of certain of the Privacy and Security Rules’ requirements to the Business Associate (BA) of Covered Entities (CE);
- Requiring CEs and BAs to provide for notification of breaches of unsecured Protected Health Information (PHI);
- Establishing new limitations on the use and disclosure of PHI for marketing and fundraising purposes;
- Limiting circumstances on the sale of PHI;
- Requiring the consideration of a limited data set as the minimum necessary amount of information for a particular use, disclosure, or request of PHI;
- Expanding individuals’ rights to obtain restrictions on certain disclosures of PHI to health plans; and
- Strengthening enforcement provisions.
The AMA also has a fact sheet that describes what constitutes a health care information "breach" and when notice of a breach is required to the federal government.
On November 26, 2012, the Department of Health and Human Services Office for Civil Rights released guidance about methods and approaches to de-identify protected health information (PHI) to aid physicians and other covered entities subject to the HIPAA Privacy Rule.
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) initiated 115 audits of HIPAA covered entities in late 2011 through a pilot program to assess compliance with HIPAA privacy and security requirements as a result of the American Recovery and Reinvestment Act of 2009 (ARRA) which requires HHS to conduct periodic audits to assess compliance. The pilot program is expected to conclude December 2012. More information about the program can be found on the HHS website.
- HIPAA "Omnibus Rule" - revised HIPAA privacy, security and breach notification rules that went into effect September 23, 2013
Federal Privacy Legislation
HHS Office for Civil Rights (OCR) - agency with oversight over HIPAA Privacy and Security requirements
Office of the National Coordinator for Health IT (ONC) - webpage on Privacy and Security
Response to OCR Guidance on Specifying Technologies and Methodologies that Render PHI Unsuable, Unreadable, or Indecipherable to Unauthorized Individuals for the Purposes of Meeting the Breach Notification Requirements, May 21, 2009