Under HIPAA and ARRA, physicians are required to control the ways in which they use and disclose patients’ protected health information.
The educational resources "What you need to know about the new health privacy and security requirements" outlines the compliance deadlines associated with the newly expanded requirements for protection of patient health information, patient rights to this information and administrative protections physicians must have in place.
The U.S. Department of Health & Human Services' (HHS) Office of Civil Rights oversees compliance with the HIPAA Privacy requirements. As a result of the ARRA, several new regulations will be published implementing the law. In January 2013, OCR published an omnibus final rule that covers changes to the HIPAA rule as required by ARRA; final regulations on breach notification requirements; modifications to the HIPAA rule regarding privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act (GINA); and additional changes to the HIPAA privacy, security, and enforcement rules. The final rule is effective on March 26, 2013, but HIPAA covered entities (e.g., physicians, other health care providers, health plans, and clearinghouses) and their business associates have until Sept. 23, 2013 to comply with the new HIPAA privacy and security requirements.
Read the AMA's summary of the new requirements. The AMA will also be updating website resources on this page in the coming weeks.
Key provisions in the HIPAA omnibus rule cover:
- Extending the applicability of certain of the Privacy and Security Rules’ requirements to the Business Associate (BA) of Covered Entities (CE);
- Requiring CEs and BAs to provide for notification of breaches of unsecured Protected Health Information (PHI);
- Establishing new limitations on the use and disclosure of PHI for marketing and fundraising purposes;
- Limiting circumstances on the sale of PHI;
- Requiring the consideration of a limited data set as the minimum necessary amount of information for a particular use, disclosure, or request of PHI;
- Expanding individuals’ rights to obtain restrictions on certain disclosures of PHI to health plans; and
- Strengthening enforcement provisions.
According to the new breach notification rules, physicians are required to notify patients if there are breaches of security involving their medical information. The educational resource "What you need to know about the new HIPAA Breach Notification Rule" provides an overview of these new requirements.
On November 26, 2012, the Department of Health and Human Services Office for Civil Rights released guidance about methods and approaches to de-identify protected health information (PHI) to aid physicians and other covered entities subject to the HIPAA Privacy Rule.
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) initiated 115 audits of HIPAA covered entities in late 2011 through a pilot program to assess compliance with HIPAA privacy and security requirements as a result of the American Recovery and Reinvestment Act of 2009 (ARRA) which requires HHS to conduct periodic audits to assess compliance. The pilot program is expected to conclude December 2012. More information about the program can be found on the HHS website.
How to "HIPAA" - Top 10 Tips to understand the basics about the Privacy Rules.
Federal Privacy Legislation
HHS Office for Civil Rights (OCR) - agency with oversight over HIPAA Privacy and Security requirements
Office of the National Coordinator for Health IT (ONC) - webpage on Privacy and Security
AMA Privacy Comment letters
AMA comments on the Accounting of Disclosures Proposed Rule, November 10, 2011
Response to OCR Guidance on Specifying Technologies and Methodologies that Render PHI Unsuable, Unreadable, or Indecipherable to Unauthorized Individuals for the Purposes of Meeting the Breach Notification Requirements, May 21, 2009