1/28/2013 11:16:00 PM,
Philip A. Janquart
WASHINGTON (CN) - The Department of Health and Human Services has changed the Insurance Portability and Accountability Act (HIPAA)'s privacy, security and enforcement rules to protect peoples' health information.
The changes come under the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted as part of the American Recovery and Reinvestment Act of 2009, according to the DHHS. In addition to security enhancements, the changes modify the rule for Breach of Notification for Unsecured Protected Health Information, an issue specifically addressed in public comments that followed the publication of the proposed rule changes.
Specifically, the new regulations apply to health information maintained in electronic health records and other formats.
Some of the other changes include modification of the "HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and to make certain other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement rules to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities," the DHHS wrote.
GINA, effective in 2009, was enacted to protect people from unfair treatment based on their DNA profile, according to the National Human Genome Research Institute. Genetic tests likely will one day become a routine part of health care, with health care providers accessing and using individuals' DNA information to detect, treat and prevent disease.
Without the legislation, however, insurance companies and even employers could discriminate against people with DNA that may show a higher chance of getting a disease like diabetes, heart disease, cancer or Alzheimer's. Insurance providers could use the information to drop or deny coverage and employers to fire employees or deny work.
"These changes are consistent with, and arise in part from, the Department's obligations under Executive order 13563 to conduct a retrospective review of our existing regulations for the purpose of identifying ways to reduce costs and increase flexibilities under the HIPAA rules," the DHHS said.
The DHHS estimated that the cost of complying with the new rule is between $114 million and $225.4 million in the first year of implementation, with the cost thereafter dropping to $14.5 million annually.
The final rule is effective March 26. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule's provisions.