On January 17, 2013, the U.S. Department of Health and Human Services released final regulations implementing changes to HIPAA mandated by the HITECH Act, as well as updated regulations under the Genetic Information Nondiscrimination Act. This major rulemaking package includes changes to the HIPAA privacy rule, information security rule, data breach notification rule and enforcement rule. The regulation is effective on March 26, 2013, with a compliance date of September 23, 2013 for both covered entities and business associates.
Features of the regulations include: implementation of the increased penalties required by HITECH, with additional guidance on the impact of intent on penalty amounts; changes to the requirements for a covered entity's Notice of Privacy Practices; changes to the rules for marketing using PHI and restrictions on the sale of PHI; replacement of the "risk of harm" test in the data breach rule with an objective test for breach notification; and implementation of the HITECH Act's business associate requirements, to name just a few. Based on the rule's introductory summary, covered entities and business associates are going to be kept busy complying with the rule's new requirements.