The US Department of Health and Human Services (HHS) has moved to strengthen the existing law that protect patients’ health information.

The government wants to give more bite, particularly in the areas of privacy and security protection, to the current Health Insurance Portability and Accountability Act (HIPAA) legislation.

HIPAA, which was passed in 1996, governs how healthcare professionals use communications technology, including email, voice and SMS, to transfer patient data.

The current law covers healthcare providers, health plans and other entities that process insurance claims.

However, the changes will extend the law to the business associates of such entities, an area where HIPAA breaches have occurred in the past. Parties now covered by the law include telehealth providers and electronic health record companies.

The extension of the law comes into effect in March but the healthcare sector has until September this year to comply with it.

HHS has also increased the penalties for non-compliance with the law, with a maximum penalty of $1.5 million per violation.

Thanks to the changes, patients can ask for a copy of their electronic medical record in an electronic format. Also, when individuals make a health-related payment in cash they can instruct their health provider not to share information about their treatment with their insurer.

The final omnibus rules sets new limits on how information is used and disclosed for marketing and fundraising. It also prohibits the sale of information without a patient’s information.

The proposals were described as “the most sweeping changes” to HIPAA since it was first implemented, said Loen Rodriguez, the director of the HHS Office for Civil Rights.