HHS Releases Long-Awaited HIPAA Final Rule

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the long-awaited omnibus final rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA). The omnibus final rule settles some of the questions that remained open after the publication of the proposed regulations on July 14, 2010.

The final rule will be effective on March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by Sept. 23, 2013. Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the final rule.

The final rule addresses the following key topics:

1. Privacy Rule and Security Rule:
   1. Direct liability of business associates and subcontractors of business associates for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule.
   2. Activities that render an entity a business associate, including the mere storage or maintenance of PHI.
   3. Required modifications to a covered entity’s notice of privacy practices.
   4. Expansion of the rights of individuals to receive electronic copies of their health information and restriction of disclosures to a health plan for treatment for which the individual has paid out-of-pocket in full.
   5. Expansion of the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibition of the sale of protected health information without individual authorization.
2. The Breach Notification Rule: Replacement of the “harm” threshold in the Breach Notification Interim Final Rule with a more objective standard and replacement of the Interim Final Rule in its entirety with the relevant provisions of the omnibus final rule.
3. The Enforcement Rule: Incorporation of the tiered civil money penalty structure set forth in the HITECH Act, originally published as an interim final rule on Oct. 30, 2009. Penalties are increased for non-compliance based upon the level of negligence, with a maximum penalty of $1.5 million per violation.
4. Protections for Genetic Information: Enhanced privacy protections for genetic information as required by GINA, which was published as a proposed rule on Oct. 7, 2009.

In a press release, Leon Rodriquez, the Director of the Office for Civil Rights of HHS stated that the final omnibus rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

In subsequent articles over the coming weeks, we will provide more in-depth discussion of the omnibus final rule and how the changes will affect covered entities and their business associates.

For additional background on legal issues related to the privacy and security of health information, please see our previous articles.