The HIPAA Omnibus Final Rule: Expansive Changes to the HIPAA Privacy and Security Rules


The HIPAA Omnibus Final Rule: Expansive Changes to the HIPAA Privacy and Security Rules

In what has been referred to by the Health and Human Services ("HHS") Office for Civil Rights Director as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," the HIPAA Omnibus Final Rule (the "Final Rule") was issued by HHS on January 17, 2013 and the deadline for compliance with most of its requirements is September 23, 2013.

The Final Rule, among other things, strengthens patients' privacy protections, provides individuals with additional rights to their health information and enhances governmental enforcement for breaches and violations. Some of the changes include allowing patients to obtain their electronic medical records in electronic form, as well as giving patients the ability to instruct providers not to share treatment information with health plans when services are paid for in cash. In addition, the Final Rule prohibits the sale of individual health information without permission, and sets additional limits on how patient information is used and disclosed for marketing and fundraising purposes. Since some of the largest breaches of the HIPAA Privacy and Security Rules have involved business associates, the Final Rule expands the definition of "business associate" to include subcontractors of business associates, imposes direct liability on business associates with regard to such subcontractors, and mandates additional requirements for business associate agreements. In addition, the Final Rule clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits its disclosure for underwriting purposes. With regards to enforcement, requirements regarding the standard for notice of breach to HHS are amended and increased penalties of up to $1.5 million per violation are imposed for noncompliance.

The Health Care attorneys at Abrams Fensterman are experienced in all aspects of HIPAA compliance and enforcement. Please contact us at 516-328-2300, so that we may assist you with your HIPAA privacy and security needs.

Share