The long wait for the HIPAA/HITECH Act Omnibus Final Rule is finally over. It went on display at the Office of the Federal Register late on Thursday, January 17, 2013, and will be published in the January 25, 2013 edition of the Federal Register.
As anticipated, the Omnibus Final Rule contains modifications to:
- The Breach Notification Rule.
- The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act.
- The Privacy and Security Rules, implementing changes mandated by the HITECH Act, as well as other changes to the Privacy Rule proposed in July 2010.
- The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act.
The Omnibus Final Rule does not address the changes proposed in the notice of proposed rulemaking issued in May 2011 that would make changes in the requirements for accounting of disclosures and create the right for an individual to receive an access report.
Among other things, the Omnibus Final Rule:
- Makes provisions of the Privacy and Security Rules applicable to covered entities’ business associates, as well as the subcontractors of those business associates.
- Establishes new limits on how protected health information (PHI) can be used for marketing and fundraising. Some of the new provisions differ from the provisions in the proposed rule. Except for refill reminders and similar communications, treatment and health care operations communications for which a covered entity or business associate receives remuneration is considered marketing.
- Prohibits the sale of protected health information without authorization (subject to certain exceptions).
- Changes the definition of “breach” for purposes of the Breach Notification Rule. An acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is now presumed to be a breach – requiring notification to the individual, to HHS, and, in some instances, to the media – unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that must include consideration of certain factors.
- Prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The final rule will be effective on March 26, 2013 and compliance with the new HIPAA provisions will be required by September 23, 2013. There are also provisions which provide additional time – up to one additional year – for covered entities and business associates to finalize business associate agreements that are compliant with the new requirements in certain circumstances.
Until published in the Federal Register, Omnibus Final Rule can be accessed here.
Stay tuned for further updates.
Written by Paula Stannard, Counsel | Alston & Bird LLP