HHS Issues Final HIPAA Omnibus Rule

On January 17, 2013 the U.S. Department of Health and Human Services (HHS) released an omnibus final rule (Final Rule) modifying certain aspects of the Health Insurance Portability and Accountability Act (HIPAA). 

Significant changes contained in the Final Rule include:

  • Protected Health Information (PHI): The Final Rule excludes information related to a person deceased for more than 50 years.
  • Business Associates: The Final Rule makes some of the Privacy and Security rules contained in HIPAA applicable to business associates, including subcontractors, Patient Safety Organizations, Health Information Organizations, e-prescribing Gateways, vendors of Personal Health Records, as well as all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity.
  • Notice of Privacy Practices (NPP): The Final Rule requires covered entities to make modifications to their notice of privacy practices and distribute these revised forms.  The new NPP must include a description of types of uses and disclosures that require an authorization.
  • Patient Rights: Covered entities must provide an individual with access to PHI in the electronic form and format requested by the individual if the PHI in maintained electronically in one or more designated record sets.
  • Marketing: The Final Rule requires authorization for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications for a third party whose product or service is being marketed.  With certain exceptions, HHS will treat as marketing communications “all subsidized communications that market a health-related product or service” and will treat “financial remuneration” to include payments made in exchange for making communications about a product or service. 
  • Sale of Protected Health Information: The Final Rule prohibits covered entities or business associates from receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless they have obtained written authorization from the individual.
  • Access to Protected Health Information:  The Final Rule expands individuals’ right to receive electronic copies of their PHI.
  • Restrictions on Certain Disclosures to Health Plans: The Final Rule restricts disclosures to a health plan for treatment paid by an individual out of pocket in full.
  • Civil Penalties: The Final Rule adopts the HITECH Act’s increasing penalty amounts for violations based on increased levels of culpability associated with each tier.
  • Breach Notification Rule:  The Final Rule modifies the definition of “breach” to include an impermissible use or disclosure of PHI is “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is low probability that the protected health information has been compromised.”  Covered entities and business associates must demonstrate, through a risk assessment, that there is “low probability” of the PHI having been “compromised.”
  • GINA:  The Final Rule modifies the Privacy Rule under the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting.

The Final Rule takes effect on March 26, 2013 and sets a compliance date of September 23, 2013.  The Final Rule includes a one-year extension for covered entities to revise existing business associate agreements, so long as such agreements were entered into and compliant with HIPAA requirements effective January 25, 2013.  If parties do not have an agreement in place that is compliant by that date, they will need to enter into a compliant agreement by September 23, 2013.  All others have until September 23, 2014 to comply.

If you have additional questions about these changes, contact your Trust Fund counsel.

By Conchita Lozano-Batista

Legal Developments