FINALLY! HHS Releases the Final HIPAA/HITECH Omnibus Rule.
Finally, the long awaited Final Rules are out. The Department of Health and Human Services (HHS) posted the HIPAA/HITECH "Omnibus Rule" on January 17, 2013 at 4:15 pm. You can download a copy here, or go straight to the source at: www.federalregister.gov/public-inspection. HHS also posted a Press Release, which you can review here. The "official" version of the Final Rules is scheduled to be published in the Federal Register on January 25, 2013.
The Final Rules are effective on March 26, 2013, and Covered entities and business associates must comply by September 23, 2013.
The Omnibus Rule is comprised of four final rules:
- Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications include:
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements;
- Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization;
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
- Require modifications to, and redistribution of, a covered entity’s NPP;
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others;
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect
- Final Rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009;
- Final Rule on Breach Notification for Unsecured PHI, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009;
- Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
Over the next several days, we will digest and analyze the impact of the changes in the Final Rules and be posting summaries by various topic on Legal HIE, so check back often. Find out what the final verdict is on the "harm" threshold for Breach determinations; what are the final changes you will need to make to your Notice of Privacy Practices; how access to decedents' information has changed; changes to releasing immunization records; new protections to genetic information, and much more....
Also, final updates to all of our HIPAA HITECH-Helpbooks reflecting all Final Rule changes will be completed very soon. If you are interested in additional information about our Helpbooks, please email me at firstname.lastname@example.org.