Author: Christine Zoccola
Sweeping changes to the HIPAA Privacy and Security Rules were announced on January 17, 2013. The long-awaited final omnibus rule issued by the U.S. Department of Health and Human Services implements changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as adopts additional modifications. The rule contains four final rules covering an expansive range of topics.
Some of these “sweeping changes” include the following:
• The final rule extends many of the HIPAA privacy and security requirements to business associates of covered entities. Business associates will be directly liable for complying with many of the HIPAA Privacy and Security Rule provisions and with data breach notification obligations.
• The final rule replaces the “significant harm” standard for reporting data breaches with a new standard.  The final rule requires notification of a breach in all situations except those in which the covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised (or there is an exception that applies).
• The final rule expands enforcement provisions.
• The final rule strengthens privacy protection for genetic information as required by the Genetic Information Nondiscrimination Act of 2008.
• The final rule makes it easier for covered entities to release immunization records to schools.
• The final rule sets new limits on the use and disclosure of protected health information for marketing and fundraising.
Covered entities and business associates must be in compliance with this new rule by September 23, 2013. There is a transition period to allow more time for existing business associate agreements to be updated. Covered entities and business associates (and business associates and business associate subcontractors) have an additional one year, until September 22, 2014, to update their existing business associate agreements.
Given the newly released final omnibus rule, coupled with the significant spike in enforcement activities during the past two years, now is the time to consider updating current HIPAA plans.
Please contact Christine Zoccola or Jim Hamilton at Bose McKinney & Evans for additional information.