On January 17, 2013, the Department of Health and Human Services (“HHS”) issued a Final Omnibus Rule modifying the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as well as the Breach Notification Rule promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009. The Final Rule comes two and a half years after the proposed rule was published in July 2010.
Some of the major changes to the HIPAA Rules include:
- Applying all of the Security Rule standards and implementation specifications and certain Privacy Rule provisions directly to business associates;
- Adding “subcontractors” to the definition of “business associate” and requiring business associates to enter into written contracts with subcontractors that are substantially similar to business associate agreements;
- Revising the definition of “marketing” in the Privacy Rule to delineate which specific activities constitute marketing of PHI;
- Requiring covered entities to obtain authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities);
- Increasing penalties for noncompliance with the HIPAA Rules;
- Granting individuals enhanced rights to receive electronic copies of their PHI and request restrictions on the disclosure of their PHI;
- Requiring covered entities to change their privacy notices to describe certain uses and disclosures of PHI;
- Modifying the Breach Notification Rule so that an acquisition, access, use, or disclosure of PHI not permitted under the Privacy Rule is presumed to be a breach unless a covered entity or business associate can demonstrate a low probability that the PHI has been compromised based on a four-factor risk assessment; and
- Prohibiting health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act.
The Final Rule will become effective March 26, 2013, with covered entities and business associates obligated to comply with the new requirements by September 23, 2013. In announcing the Final Rule, HHS Office for Civil Rights Director Leon Rodriguez stated that the Final Omnibus Rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented” and will assist OCR “to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”