The Department of Health and Human Services' Office for Civil Rights yesterday released a final "omnibus" rule that updates several provisions in Health Insurance Portability and Accountability Act regulations, as mandated by the Health Information Technology for Economic and Clinical Health Act. The rule replaces the harm threshold from the interim rule on breach notification with a more objective standard. It also requires business associates to comply with specific HIPAA privacy and security requirements, and imposes direct liability for their noncompliance with these regulatory standards. In addition, the rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act; makes changes to the use and disclosure of protected health information in certain circumstances; and prohibits most health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act. The final rule takes effect March 26; however, covered entities and their business associates generally will have until Sept. 23 to comply with most of the rule's provisions, including the changes to the breach notification requirements. AHA members today received a Special Bulletin with more information.