placeholder

OCR of HHS FINALLY Issues HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule

January 18, 2013. On January 16, 2013, the Office of Management and Budget (OMB) completed its EO 12866 regulatory review of RIN:  0945-AA03, and the long-awaited release of the Department of Health and Human Services’ Office for Civil Rights (OCR) so-called “Omnibus” Final Rule was published at 4:15 PM on January 17, 2013, in pre-publication final draft form on the Federal Register’s Electronic Public Inspection Desk.  Publication in the Federal Register is scheduled for Friday, January 25, 2013.  The title of the Final Rule is:  45 CFR Parts 160 and 164:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. The effective date of the final rule is March 26, 2013.  ”Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.”

HIPAA.com will be providing commentary on the provisions of the “Omnibus” Final Rule on weekdays beginning on January 25, 2013–the day of publication in the Federal Register–and continuing through March 26, 2013–the effective date of the final rule.  You may sign up on the upper right of this screen to be notified of postings.

Here, we provide from the “Omnibus” Final Rule, the Summary, followed by the Summary of Major Provisions.

Summary.  ”The Department of Health and Human Services (HHS) is issuing this final rule to:  Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.”

Summary of Major Provisions.  ”This omnibus final rule is comprised of the following four final rules:

1.  Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010.  These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  • Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced in #2 below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rule due to willful neglect.

2.  Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

3.  Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s ‘harm’ threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

4.  Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.”

Ed Jones, Author & Healthcare Authority

Filed Under: American Recovery and Reinvestment Act, Enforcement, GINA, HIPAA Law: Administrative Simplification, Health IT and HITECH, Privacy, Security 
YY