On Thursday, January 17, 2013, the United States Department of Health and Human Services issued Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act. The lengthy 563-page document provides for numerous changes to the original security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996.
The final rule is composed of four final rules combined, HHS states, “to reduce the impact and number of times certain compliance activities need to be undertaken by the regulated entities.”
A summary of each is as follows:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act including:
• Makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements
• Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization
• Expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full
• Requires modifications to, and redistribution of, a covered entity’s notice of privacy practices
• Modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
• Adopts the additional HITECH Act enhancements to the Enforcement Rule
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
The modifications will be effective March 26, 2013, and covered entities and business associates have until September 23, 2013 to comply with the requirements of the new rule.
The release of this omnibus rule is the most sweeping since the original HIPAA Security and Privacy requirements. It places greater security requirements not only on covered entities but also on business associates, with the intent of ensuring privacy protections for patients as the healthcare industry moves toward greater and greater utilization of electronic health record technologies.