Contact Us Online

Social Media Karp Law Blog Twitter Facebook

New HIPAA rules expand patient protections, privacy

7-26-2013 - Patients will have significantly more privacy protections and greater access to their medical records under new regulations issued by the U.S. Department of Health and Human Services. The HIPAA Omnibus rules issued January 2013 create sweeping changes to the Health Care Portability and Accountability Act passed in 1996. Medical providers have until Sept. 26, 2013, to come into compliance. Among other goals, the rules are intended to modernize the operation of HIPAA for today's record-keeping environment, in which increasing amount of medical information are stored in digital format. 

The rules provide more severe penalties for providers who breach privacy; require the encryption of data; tighten controls on the personal health data that may be shared or sold for marketing or fundraising purposes; compel notification of patients if a breach of their data has occurred; and extend the regulations to any vendors or business associates who may have access to a medical providers' patient health records.

From a patient's perspective, the following changes will be the most notable:

  • A patient has the right to request his/her personal health records in electronic format. Physicians must furnish the records within 30 days, with one 30-day extension permitted. Copies must be furnished in the format requested by the patient if the record can be reproduced in that format; if not, other electronic readable formats may be offered.

  • If the patient requests an electronic record to be sent to a third party such as a caregiver, another physician or mobile app, the request must be made in writing.

  • A patient who pays out-of-pocket for a treatment may request that his/her insurance company not be notified, and the request must be honored.

  • If a patient's privacy has been breached, the patient must be notified within 60 days. Prior to the omnibus rules, breaches were required to be reported only if it was determined that  the breach would cause significant "harm" to the patient.

  • Family members and caregivers of deceased patients will have greater access to the deceased patient's medical records, although medical providers are required to release them only to the extent with which the requesting party was involved with the decedent's medical care. Records may not be released if prior to death the patient requested that they not be shared.

The new rules do not change our attorneys' recommendation that clients include HIPAA waivers in their estate planning documents:  

A HIPAA waiver should be included in your Health Care Power of Attorney. That way, the person you’ve authorized to make your medical decisions will have access to your health providers and be able to discuss your situation with them. Even if you have signed a HIPAA waiver in your doctor’s office, it may be unavailable or inadequate to meet your needs with other doctors, hospitals or health insurance companies. If you have an existing Health Care Power of Attorney that does not include the HIPAA waiver, you should either have it modified, or execute a separate HIPAA waiver.

A HIPAA waiver should also be included in your Revocable Living Trust. If you become disabled and your trustee must manage the assets in the trust, he/she will need to provide documentation of your disability to your financial institutions. A HIPAA waiver for your trustee relieves your medical providers of liability and enable your trustee to secure the needed information from them.

More information about the new HIPAA rules is available at US Dept. of Health and Human services website.  

Back to Elder Law Legal Updates