On January 25, 2013 the U.S. Department of Health and Human Services (HHS) issued a Final Omnibus Rule (“Final Rule”) to modify and expand aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement and Breach Notification for Unsecured Protected Health Information Rules.
The Final Rule comprises the following key components:
Read the HHS Press ReleaseRead the Final Rule in the Federal Register
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Modifications to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.
- Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard.
- Modifications to the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
will need to make changes to their operations and prepare to update HIPAA policies and privacy notices, communicate with business associates, and train staff. The Final Rule becomes effective on March 26, 2013; HIPAA-covered entities and business associates will need to comply with the changes by September 23, 2013.Key Highlights of the Final Rule
- Notice of Privacy Practices
Covered entities are required to revise their Notice of Privacy Practices (NPP) to include notifications of the use and disclosure of protected health information, breach notification, and options for opting out of communications. The revised notice must be made available to existing patients upon request, posted on the provider’s website (if applicable) and in a prominent location on the premises. New patients must be provided with a copy of the revised notice. NPPs may be distributed to individuals electronically.
- Immunization Record Authorization
If state law requires a school to have an immunization record, a covered entity may obtain and document a one-time written or oral agreement from the parent or guardian that will release student immunization records to a school and will remain effective unless revoked.
- Business Associates
Business associates2 are considered covered entities and held separately and directly liable, both civilly and criminally, for violations of the HIPAA Security Rule and HIPAA Privacy Rule and for unauthorized uses and disclosures in accordance with their business associate contracts. Furthermore, covered entities that work with business associates must have contracts or other arrangements in place to ensure that the business associates are safeguarding protected health information and are following HIPAA Rules.
- Marketing and Fundraising
The use of protected health information (PHI) for marketing or fundraising purposes is limited under the Final Rule, and the sale of PHI without individual authorization is prohibited.
- Securing Protected Health Information
Covered entities and business associates must comply with the HIPAA Security Rule. In order to be compliant with the law and to avoid penalties, covered entities are required to assess the risk for unsecured PHI to become compromised. This risk assessment includes a review to ensure that the proper limits on access of PHI, based on job role and function, are in place. Also, covered entities and business associates must review and modify security measures as needed to ensure the protection of electronic PHI and update documentation of such security measures accordingly. The best practice is to properly secure, encrypt, and destroy PHI whenever possible.
- Tiered Penalty Structure
A tiered penalty structure with increased penalties for violations of HIPAA provisions has been introduced. The structure includes four levels of violation, each of which can result in civil money penalties. The most serious penalties are designated for HIPAA-covered entities and business associates who willfully neglect the rules and do not implement corrections in a timely manner. Penalties range from $100 to $50,000 per violation and are capped at $1,500,000 per calendar year for identical violations.
- Patient Access to Records
Patients have the right to request copies of their health information in any format and, if it is readily producible in such form or format, are entitled to receive the copy within 30 days of written request. Practices may charge for labor and supplies and may request a one-time 30-day extension in writing. Physicians may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission.
- Disclosure of Information to Health Plans
The disclosure of PHI to the health plan for treatments that have been paid out of pocket in full is prohibited. Also, the Final Rule clarifies that genetic information is PHI and that it may not be shared with health plans for underwriting purposes.
1 Covered entities are health care providers who
conduct covered health care transactions electronically, health plans,
and health care clearinghouses. Organizations or people who perform
functions or activities on behalf of or for a covered entity that
involve the use or disclosure of protected health information are
considered “business associates.”
Business associates include patient safety organizations, health information organizations (HIOs), e-prescribing gateways, and other persons who facilitate data transmission, as well as vendors of personal health records. These business associates are indicated by their routine access to protected health information and do not apply to entities that deliver but do not access information other than on a random or infrequent basis. Contracts or similar arrangements with business associates are necessary; a covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information when the contract or arrangement has appropriately established that protected health information will be safeguarded.
In addition, a subcontractor – “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate” is also considered a business associate when he or she creates, receives, maintains, or transmits protected health information on behalf of the business associate and, therefore, must comply with the HIPAA privacy and security rules. Business associates, not covered entities, are required to ensure satisfactory compliance via the use of a contract or other arrangement with the subcontractor.Source: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule. Federal Register. 2013;78(17):5565-5702. Disclaimer: This information is general in scope and
educational in nature. It is not intended as legal advice. If you
require legal advice, contact an attorney.
The recommendations in this publication do not indicate an exclusive
course of treatment or serve as a standard of medical care. Variations,
taking into account individual circumstances, may be appropriate. This content is for informational
purposes only. It is not intended to constitute financial or legal
A financial advisor or attorney should be consulted if financial or legal advice is desired.