U.S. companies that partner with hospitals and other health providers could face steep fines if they disclose private patient information under a new federal rule proposed on Thursday.
Billing companies, customer service contractors and other businesses regularly handle private health records, but currently, they are not liable for information breaches.
The proposed rule would treat these companies the same as doctors, hospitals and insurance companies that already face penalties for disclosing private information, such as a patient’s medical or payment history.
The maximum civil penalties are $50,000 per violation, and $1.5 million a year. “That means we have much greater ability to keep personal health information safe and secure,” U.S. Health Secretary Kathleen Sebelius said at a news conference.
The Department of Health and Human Services, which issued the rule, also announced it would post summaries of all major breaches online. “There have been a number of incidents and complaints that we have received over the years that do involve business associates having lost information, or misdirected information, or otherwise mishandled their protected health information,” said Susan McAndrew, deputy director for health information at the HHS Office of Civil Rights.
The move is the latest in a broader effort by the Obama administration to update and streamline the medical records system in the United States.
The changes are authorized under the HITECH act, a measure included in the 2009 stimulus package to encourage doctors and hospitals to adopt electronic health records. The rule announced on Thursday extends the reach of the Health Insurance Portability and Accountability Act, or HIPAA, which protects patient privacy and sets security standards for electronic health records.
The changes would be “the most sweeping improvements to HIPAA practice and security standards since they went into effect in 2003,” Sebelius said.
Earlier this year, the agency sharply increased the maximum penalties. Previously the maximum amount was $100 per violation and $25,000 a year, Sebelius said.
The health agency will take comments on the proposed rule over the next two months.