HIPAA Omnibus Rule ReleasedContains Long-Overdue Rule Modifications
The long-overdue final HIPAA omnibus rule was posted on the Federal Register public inspection desk Jan 17. The package of regulations will be officially posted on the Federal Register on Jan. 25.
The final omnibus rule will be effective on March 26, but covered entities and business associates have until Sept. 23 to comply.
The 563-page package includes:
- Extensive modifications to the HIPAA privacy, security and enforcement rules. Among the changes: Applying many security and privacy requirements to business associates and their subcontractors.
- A final version of the HIPAA breach notification rule. An interim final version has been in effect since September 2009. The new version clarifies requirements for when a breach must be reported to authorities.
- A rule spelling out that using genetic information for insurance underwriting purposes is a privacy violation under HIPAA, as well as discriminatory under the Genetic Information Non-Discrimination Act.
The package of regulations greatly enhance a patient's privacy protections, provides individuals new rights to their health information and strengthens the government's ability to enforce the law, HHS said in a statement about the omnibus package.
"Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius noted in the statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age."
A proposed version of the HIPAA modifications, which were mandated under the HITECH Act, was published back in 2010. The Office of Management and Budget had been reviewing the latest versions of all the regulations since March 2012.
"The only thing I can say at this stage is that I am excited and pleased that the rule has finally been released," says Deven McGraw, chair of the HIT Policy Committee's Privacy and Security Tiger Team, which advises federal regulators.
The HIPAA privacy, security and enforcement rule modifications:
- Make business associates directly liable for compliance with certain privacy and security rules requirements;
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibit the sale of protected health information without individual authorization;
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
- Require modifications to, and redistribution of, a covered entity's notice of privacy practices;
- Modify individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others;
- Enhance the enforcement rule, adding provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect and incorporating the increased and tiered civil money penalty structure required under the HITECH Act.
The omnibus final rule specifies that business associates now include health information organizations, e-prescribing gateways or others that provide data transmission services with respect to protected health information to a covered entity and that require routine access to the health information. A business associate also includes those who offer a personal health record to one or more individuals on behalf of a covered entity.
As for "health information organization," HHS said in its regulations that it has declined to provide a definition. "We recognize that the industry continues to develop, and thus the type of entities that may be considered health information organizations continues to evolve. For this reason, we do not think it prudent to include in the regulation a specific definition at this time. We anticipate continuing to issue guidance in the future on our website on the types of entities that do and do not fall within the definition of business associate, which can be updated as the industry evolves."Howard Anderson, Information Security Media Group's news editor, contributed to this story.