On Friday, January 25, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited final HIPAA Omnibus Rule, modifying the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). These Rules present numerous changes that will impact covered entities, including health care providers and health plans, and their business associates.

Key Provisions of the New Rules

  • Requires covered entities to revise and redistribute their Notice of Privacy Practices.
  • Changes the definition of "business associate" to include subcontractors. The definition is also changed to explicitly include patient safety organizations (i.e., organizations performing analysis of patient safety events on behalf of covered entities), health information organizations, e-prescribing gateways and other organizations and persons that facilitate data transmission.
  • Changes the definition of "marketing" and the authorization requirements related to marketing communications, prohibiting the sale of protected health information without individual authorization.
  • Expands the rights of individuals to access their health information and request restrictions on how their health information is used or disclosed.
  • Changes the analysis for determining whether notification of a breach of protected health information is required from a "risk of harm" to a "probability of compromise" analysis.
  • Applies the prohibition against the use and disclosure of protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long-term care policies.

Notably missing from the Rule are provisions relating to how covered entities must respond to individuals requesting an accounting of disclosures made through an electronic health record, which was the subject of a separate Notice of Proposed Rulemaking published on May 1, 2011. This topic will be addressed in future rulemaking.

Compliance Date

The effective date for these final Rules is March, 26 2013. However, covered entities and business associates have until September 23, 2013, to comply with applicable provisions. Covered entities may operate under existing Business Associate Agreements until the contract is up for renewal or until September 23, 2014, whichever is earlier.

Proactive Steps to Take

  • Review and revise your HIPAA policies, including but not limited to policies regarding marketing communications and responding to potential breaches of protected health information.
  • Review and revise your Notice of Privacy Practices so that you are ready to post and distribute your new Notice on or before the September deadline.
  • Review your standard Business Associate Agreement and current agreements to determine whether modifications are required.
  • Develop organization-wide strategies to communicate changes to appropriate front-line staff.
  • Review your HIPAA training modules and education materials.