New HIPPA/HHS Privacy Final Rule

On January 17, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released the long-awaited omnibus final rule on HIPAA regulations. This Final Rule modifies certain aspects of the Privacy Rule, the Security Rule, and the Enforcement Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification for Unsecured Protected Health Information Rule (Breach Notification Rule) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Phew. We know that's a lot to process. You probably need to read over that information a couple of times before you even understand what it means. But then, we haven’t even said what it means yet. Why? Because we are not yet entirely sure of that ourselves either. The Final Rule document is about 600 pages of complex information. So bear with us – we can’t give you a one-page summary yet. But we want to tell you not to worry; not that much has changed.

Before we say anything else, we want you to know that the general deadline for compliance is September 23, 2013. 

Here is a quick little summary of what we have been able to ascertain so far:

Breach Notification

There was a harm threshold in the previous privacy rule which stated that notice of a security breach is only required if the breach poses a significant risk of harm to the affected individuals. With this new Final Rule, now any use or disclosure of protected health information (PHI) that isn’t permitted by the Privacy Rule will be recognized as a reportable breach.

Business Associates

The Final Rule now makes many of the obligations of the HIPAA Privacy and Security Rules directly applicable to business associates and their subcontractors. This means that business associate agreements will most likely need to be updated.

Privacy Requirements

There are many privacy issues that relate to the uses and disclosures of PHI. Some of the areas include communications for marketing or fundraising, exchanging PHI for payment, disclosures of PHI to people involved in a patient's care or payment for care, and disclosures of student immunization records. Furthermore, individuals now have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).

Genetic Information

In conjunction with the Genetic Information Nondiscrimination Act, HHS has included “genetic information” as a type of health information that will be subject to HIPAA rules. There will be new restrictions that will prohibit health plans from using genetic information for financial purposes.

---

These are just very short summaries of only a few of the important aspects of this new Final Rule. We did, however, find a great resource created by Poyner Spruill Law Firm that we would love to share with you. And we will try to keep you updated with information about the Final Rule whenever possible!

http://www.poynerspruill.com/publications/Pages/SummaryofNewHIPAARules.aspx