The new privacy and security rules of HIPAA will apply effective 23rd September 2013. Healthcare professionals are required to put in place all the necessary procedures for compliance with the new rules. These new rules have been framed to align it with other legal mandates relating to maintenance and management of electronic records and personal information of patients.

A significant change has been made in breach notification requirements. Healthcare professionals now have an obligation to disclose to the patient any breaches that may occur with reference to their personal health data. All such breaches are presumed to be “reportable” unless, in-depth “four factor analysis” prescribed—the nature of the personal health information, the category of person who obtained unauthorized access, nature of access, and nature of risk involved–reveals that there is low probability of the personal health information being compromised. The breach notification must include individual notification, HHS notification and applicable media postings.

The new rules stipulate that healthcare professionals covered under the HIPAA cannot disclose any patient care information (if such a request is made by patients who have paid out of their own pocket) to any health services such as health plans, unless such a disclosure is mandated by law. This changes the existing provision, which permitted health care professionals to refuse patient requests for non-disclosure of personal health information. The apprehension is that this will impact the smooth flow of documentation and follow up on patient health care.

Further, the new rules limit marketing communications that physicians may want to share with their patients. The physician cannot draw the patient’s attention to such communications unless the patient has provided the physician with a written authorization to do so. However, physicians may communicate such information if they have no monetary gain from the communication or the communication is face to face or the communication is related to the treatment being provided to the patient or involves general health promotion. Communications regarding Government sponsored programs are exempted under this rule.

The new HIPAA rules categorically state that physicians cannot sell personal health information of patients without a written consent from the patient.  The rule covers licenses and lease agreements and includes disclosures connected with research which is profitable. However, childhood immunization information can now be disclosed to schools as they have to obtain proof of immunization and the representative’s informal agreement to the same has been obtained.

Other provisions restrict transmission of the patient health information electronically under different circumstances.