January 24, 2013

HHS Releases Long-Awaited Omnibus HIPAA Rule

Addressing the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services (HHS) released a final rule last week that serves to enhance a patient's privacy protections, provides individuals new rights to their health information and strengthens the government's ability to enforce the law. The changes in the final rule provide patients with increased protection and control of personal health information. While the current HIPAA Privacy and Security Rules have focused on health care providers, health plans and clearinghouses, the new changes expand many of the requirements to business associates of these entities that receive protected health information. The rule provides up to one year after the 180-day compliance date for covered entities and their business associates to modify existing contracts to comply with the final rule.

Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. In addition, the changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. The rule removes the "harm standard" that was proposed to trigger notification when protected health information was lost or misused and replaces it with a four-part standard to determine the probability that the information was compromised. Entities are required to conduct a risk assessment following a breach that examines the following factors, at a minimum: 

  • The nature and extent of the protected health information (PHI) involved, including the types of identifiers and the likelihood of re-identification;

  • The unauthorized person who used the protected health information or to whom the disclosure was made;

  • Whether the protected health information was actually acquired or viewed; and

  • The extent to which the risk to the protected health information has been mitigated.

The final rule allows patients to ask for a copy of their electronic medical record in an electronic form. When they pay cash for services, patients can ask their provider not to share information about their treatment with their health plan. The rule also sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individual's health information without their permission.

The final rule also reduces administrative burden by streamlining individuals' ability to authorize the use of their health information for research purposes and makes it easier for parents and others to give permission to share proof of a child's immunization with a school. 

The final rule will be published in the Jan. 25 Federal Register and is effective March 26. Covered entities and business associates have until Sept. 23, 2013 to comply with its provisions.