After years of waiting, the Federal Department of Health and Human Services released last week what has come to be called the HIPAA Omnibus Rule. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age,” said HHS Secretary Kathleen Sebelius. “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Ofice for civil Rights Director Leon Rodriguez. They “strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections.” The rule combines changes from the ARRA/HITECH Act, adjustments to the Breach Notification Rule, and the Genetic Information Nondiscrimination Act of 2008.
Features of the new rule include:
- More objective criteria for breach notifications
- Direct application of the HIPAA rules to Business Associates and the entire chain of subcontractors they may use
- Business Associate Agreements contract changes
- Notice of Privacy Practices changes which will require redistribution of these notices to all patients/members
- Fundraising and Marketing rule changes
- Additional obligations of providers to provide patients electronic access to records
- Prohibitions on the sale of protected health information
- Significant changes to the enforcement and penalty provisions
- Numerous minor changes
The biggest impact of these rules is likely to be the new obligations and liability of Business Associates. Previously, Business Associates’ liability consisted solely of their contractual obligations to their clients. Now, they are directly regulated by the HIPAA regulations and obligated to comply with major portions of the rules and are subject to the stiff civil and criminal penalties of the rule. All providers will need to update policies and procedures and make adjustments based on these new policies.
The effective date of the rules will be July 24, 2013, that is, 180 days after the official publication of the rules scheduled for January 25, 2013. Watch for further posts as each of these areas will be explored in more detail.
