The U.S. Department of Health and Human Services (HHS) on Jan. 17 released privacy and security updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that tighten patients' control of their personal health information. In addition to these enhanced protections, the rule also gives the federal government more control in enforcing the law.
"Much has changed in health care since HIPAA was enacted over fifteen years ago," noted HHS Secretary Kathleen Sebelius. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
While the previous law primarily focused on ensuring providers and health plans protected health information, the latest changes extend these requirements to "business associates" including contractors and subcontractors. Additionally, the updates detail requirements for reporting Health Information Technology for Economic and Clinical Health (HITECH) breaches to HHS.
HHS released sample business associate agreement language for bringing contracts into compliance with the updated rule. For covered entities and business associates, the compliance deadline for most requirements is Sept. 23, 2013. Changes to existing agreements must be made by September 2014.
HHS provided further details on these changes in a statement that was released on Jan. 17. Stay tuned to CardioSource.org and The ACC Advocate for updates on how these changes will impact the practice of cardiology.