On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the much-anticipated omnibus final rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA). Our colleagues Kim Kannensohn, Nathan Kottkamp and Amanda Enyeart have particularly deep experience with HIPAA and HITECH issues and have published several pieces on the topic. They recently provided guidance re the omnibus final rule, which settles some of the questions that remained open after the publication of the proposed regulations on July 14, 2010.
As our colleagues note, the final rule will be effective on March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by Sept. 23, 2013. Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the final rule.
The final rule addresses the following key topics:
- Privacy Rule and Security Rule:
- Direct liability of business associates and subcontractors of business associates for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule.
- Activities that render an entity a business associate, including the mere storage or maintenance of PHI.
- Required modifications to a covered entity’s notice of privacy practices.
- Expansion of the rights of individuals to receive electronic copies of their health information and restriction of disclosures to a health plan for treatment for which the individual has paid out-of-pocket in full.
- Expansion of the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibition of the sale of protected health information without individual authorization.
- The Breach Notification Rule: Replacement of the “harm” threshold in the Breach Notification Interim Final Rule with a more objective standard and replacement of the Interim Final Rule in its entirety with the relevant provisions of the omnibus final rule.
- The Enforcement Rule: Incorporation of the tiered civil money penalty structure set forth in the HITECH Act, originally published as an interim final rule on Oct. 30, 2009. Penalties are increased for non-compliance based upon the level of negligence, with a maximum penalty of $1.5 million per violation.
- Protections for Genetic Information: Enhanced privacy protections for genetic information as required by GINA, which was published as a proposed rule on Oct. 7, 2009.
For additional background on legal issues related to the privacy and security of health information as published by our colleagues, please see these previous articles.