HHS has released its much-anticipated final omnibus rule about protected health information. The rule addresses privacy and security issues, including defining "business associate" and expanding individuals' rights to electronic copies, as well as breach notification considerations.
In late January, the Department of Health and Human Services issued its much-anticipated 563-page final omnibus rule regulating protected health information (PHI). These new regulations finalize many changes previously proposed to the Privacy, Security and Enforcement Rules, and modify the Breach Notification Rule initially adopted in August 2009. In addition, the new regulations extend HIPAA application to business associates.
The new Rules are effective March 26, 2013. All covered entities must comply with the new Rules by September 23, 2013. The main areas addressed include:
Privacy and Security
- Activities that define a business associate, including merely storing or maintaining PHI.
- Direct liability of business associates and their subcontractors for compliance failures.
- Required modifications to privacy notices.
- Expanded rights of individuals to receive electronic copies of their PHI.
- Expanded limits on the sale or use of PHI, including for marketing/fundraising purposes.
Breach Notification
The rule recognizes that not all HIPAA violations require breach notification. The four primary factors to consider are:
- The nature and extent of the information released.
- Who received the information.
- Whether the information was actually viewed by anyone.
- The extent to which the risk was mitigated.
Enforcement
Penalties for non-compliance have increased to a maximum of $1.5 million per violation and vary based on the negligence involved.
Genetic Information
The rule also includes enhanced privacy protections for genetic information, in conformity with the Genetic Information Nondiscrimination Act.
Next Steps
Review and update your HIPAA practices and policies, compliance manual and Business Associate Agreements, as well as provide updated training to employees who access or maintain protected health information.
If you have questions about how the omnibus rule affects your business, please contact any of our more than 70 Labor & Employment attorneys located in Birmingham, Alabama; Atlanta, Georgia; Baton Rouge, Mandeville and New Orleans, Louisiana; Jackson, Mississippi; Chattanooga, Johnson City, Knoxville, Memphis and Nashville, Tennessee; and Houston, Texas.