HIPAA/HITECH Omnibus Final Rule Makes Sweeping Changes
The 563-page final omnibus Health Insurance Portability and Accountability Act (HIPAA) rule, published in January, makes a long list of significant changes to existing regulations. These include, among others:
- Modification to the standard for reporting breaches of unsecured personal health information (PHI).
- Extension of HHS enforcement authority over business associates.
- Expansion of the definition of the term business associate to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and which require routine access to such PHI, and personal health record vendors.
- Modifications to the requirements for business associate agreements.
- New obligations for business associates to enter into business associate agreements with their own subcontractors.
- Removal of limitations on the liability of covered entities for the acts and omissions of business associates.
- Changes to the requirements for notices of privacy practices.
- New limitations on the sale of PHI.
- New limitations on and clarifications concerning the use and disclosure of PHI for marketing.
- Relaxation of certain limitations on the use of PHI for fundraising.
- Improvement to the regulations concerning authorizations for the use or disclosure of PHI for research.
The deadline for complying with the amended HIPAA regulations is September 23, 2013, except for provisions related to the requirements for business associate agreements and to arrangements relating to the sale of PHI. Those specific provisions allow existing agreements in effect prior to January 25, 2013, to continue through September 22, 2014, unless modified or amended within one year before that date.
To review the final rule indepth, published at 78 Fed. Reg. 5566 (Omnibus Rule), visitFederalRegister.gov.