January 25, 2013. The Final Rule is published, at last! Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule cleared the Office of Management and Budget on January 16, was issued online on the Federal Register’s Electronic Public Inspection Desk in pre-publication format on January 17, and published in the Federal Register today. The Final Rule is 136 pages (pp.5566-5702). The effective date of the Final Rule is Tuesday, March 26, 2013, and the compliance date is Monday, September 23, 2013.
Here is the Final Rule Summary:
“The Department of Health and Human Services (HHS) is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.”
Beginning Monday, January 28, and each weekday through the effective date, March 26, HIPAA.com will post on some aspect of the Final Rule. On Monday, the discussion will focus on the change in definition of breach and the change from a “harm standard” to “probability standard” pertaining to breach notification.