Health Information Omnibus Rule adds will empower the patient – finally

The U.S. Department of Health and Human Services (HHS) has updated the data privacy and security rules involving electronic health records by finalizing the omnibus rule regarding these increasing protections.

First enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and expanded under the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, these rules have created both incentives for health care providers to digitize health records and obligations to protect the data from loss or misuse.

In the 2013 omnibus rule, HHS has moved to increase the individual patient’s interest in the health data system by expanding the patient’s rights regarding their health records.

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • Parents and guardians should find it easier to give permission to share proof of a child’s immunization with a school.
  • Patients must give permission before that individual’s health information is sold under an expanded number of conditions.

Digitization has swept most industries in the fifteen years since HIPAA was first enacted. Nonetheless, the cost of record conversion, concerns over privacy, and competitive issues that incentive health organizations to avoid cooperation have slowed the transition to electronic health records. The incentives of the HITECH Act and the new rule should continue pushing to complete the conversion.

The HHS press release added this observation:

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Full implement of the new rules will take 12-18 months, providing health care providers time to adjust their processes to meet the new obligations. The 563 page rule can be viewed here. HHS’s announcement of the rule is found here.