The long wait for the HIPAA Final Omnibus Rule is finally over, and it covers a broad range of HIPAA issues, including:
- The Breach Notification Rule;
- The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act;
- The Privacy and Security Rules, implementing changes mandated by the HITECH Act, as well as other changes to the Privacy Rule proposed in July 2010; and
- The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act.
The final rule does not address the changes proposed in the notice of proposed rulemaking issued in May 2011 that would make changes in the requirements for accounting of disclosures and create the right for an individual to receive an access report.
In its press release, HHS stated that the final rule “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” Further, the HHS Office Civil Rights Director Leon Rodriguez said in a press release, “[t]his final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Among other things, the final rule:
- Makes provisions of the Privacy and Security Rules applicable to business associates as well as the subcontractors of those business associates.
- Establishes new limits on how protected health information (“PHI”) can be used for marketing and fundraising. Some of the new provisions differ from the provisions in the proposed rule. Except for refill reminders and similar communications, treatment and health care operations communications for which a covered entity or business associate receives remuneration is considered marketing.
- Prohibits the sale of PHI without authorization (subject to certain exceptions).
- Changes the definition of “breach” for purposes of the Breach Notification Rule. An acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is now presumed to be a breach – requiring notification to the individual, to HHS, and, in some instances, to the media – unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that must include consideration of certain factors.
- Prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The final rule will be effective on March 26, 2013, and compliance with the new HIPAA provisions will be required by September 23, 2013. Health care providers should spend time analyzing the final rule over the coming months because even though it provides additional time (up to one additional year) for covered entities and business associates to finalize new business associate agreements, many current policies, processes and agreements will need to be revised in order to be compliant with the final rule’s requirements.