"Much has changed in healthcare since Health Insurance Portability and Accountability Act of 1996 was enacted more than 15 years ago," Kathleen Sebelius, secretary of the U.S. Department of Health and Human Services, said in a statement.
"The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age."
HIPAA Privacy and Security Rules have focused on healthcare providers, health plans and other entities that process health insurance claims. The changes expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors.
Some of the largest breaches reported to HHS involved these type of business associates. Penalties were increased for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual's health information without their permission, Sebelius said.