The U.S. Department of Health and Human Services (HHS) released a long-awaited addendum to the Health Insurance Portability and Accountability Act (HIPAA). The four previous provisions combined to create the comprehensive new rule, which is intended to bolster patient privacy protections while simultaneously reducing the burden on data compliance professionals.

"This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," said HHS Office for Civil Right director Leon Rodriguez. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates."

As a result of the updated legislation, patients can now directly request a copy of their electronic medical record in digital format. Additionally, lawmakers have tightened data usage limitations to ensure protected health information cannot be directly sold, or repurposed for marketing or fundraising campaigns, without explicit consent.

Finally, the HIPPA addendum may clear the path for some of the more altruistic health data use cases. Patients can expect a reduced administrative burden when attempting to grant information access for medical research purposes, and parents can more easily enable providers to share immunization records with their child's school administrators.

Industry impact
As healthcare personnel pore over the legislative documentation, many of the more notable changes they see will involve business partner relations. As a greater proportion of data security incidents start to stem from third-party service providers in this increasingly collaborative operating environment, regulators have more explicitly highlighted where responsibility and liability lies for each entity. Most significantly, non-compliance fines will increase depending on severity, with a maximum penalty set at $1.5 million per HIPAA violation. Additionally, rule changes have set a higher bar for breach resolution by identifying and clarifying the scenarios in which missteps must be reported to HHS officials.

According to Government Health IT, a number of industry experts are curious to see how the HIPAA final rule may be combined with Meaningful Use standards.

"There is a lot that we are asking of people for meaningful use. To sort of load up additional privacy and security regulations on that is problematic for a lot of reasons," Center for Democracy and Technology health privacy project director Deven McGraw told the news source. "For one, it would only reach a certain population, and it might tip the scale for providers not to participate. The reality is that the privacy rule should be required of everyone."