'Omnibus HIPAA rule updates privacy and security measures
January 25, 2013
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently released a final “omnibus” rule that updates several provisions in “Health Insurance Portability and Accountability Act” (HIPAA) regulations, as mandated by the “Health Information Technology for Economic and Clinical Health Act” (HITECH).
The 563-page rule replaces the interim rule’s harm threshold on breach notification with a more objective standard. It also requires business associates to comply with specific HIPAA privacy and security requirements, and imposes direct liability for their noncompliance with these regulatory standards. In addition, the rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act; makes changes to the use and disclosure of protected health information in certain circumstances; and prohibits most health plans from using or disclosing genetic information for underwriting purposes, as required by the “Genetic Information Nondiscrimination Act.”
The final rule takes effect March 26; however, covered entities and their business associates generally will have until Sept. 23 to comply with most of the rule’s provisions, including the changes to the breach notification requirements.