It's Finally Here: The HIPAA

It's Finally Here: The HIPAA "Mega-Rule"

The long-overdue final HIPAA Mega-Rule (HIPAA Omnibus Rule) was released on Jan 17. The package of regulations will be officially posted on the Federal Register on Jan. 25.

Image: hcp_standard2.jpg

The final omnibus rule will be effective on March 26, but covered entities and business associates have until Sept. 23 to comply.

The new rule package includes:

  • Extensive modifications to the HIPAA privacy, security, and enforcement rules. Among the changes: Applying many security and privacy requirements to business associates and their subcontractors.
  • A final version of the HIPAA breach notification rule. An interim final version has been in effect since September 2009. The new version clarifies requirements for when a breach must be reported to authorities.
  • A rule spelling out that using genetic information for insurance underwriting purposes is a privacy violation under HIPAA, as well as discriminatory under theGenetic Information Genetic Information Non-Discrimination Act (GINA).

The package of regulations greatly enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law.

"Much had changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius noted in a statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age."

A proposed version of the HIPAA modifications, which were mandated under the HITECH Act, was published back in 2010. The Office of Management and Budget had been reviewing the latest versions of all the regulations since March 2012.

"The only thing I can say at this stage is that I am excited and pleased that the rule has finally been released," says Deven McGraw, chair of the HIT Policy Committee's Privacy and Security Tiger Team, which advises federal regulators.


New Rule Modifications

The HIPAA privacy, security, and enforcement rule modifications are:

  • Make business associates directly liable for compliance with certain privacy and security rules requirements;
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibit the sale of protected health information without individual authorization;
  • Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • Require modifications to, and redistribution of, a covered entity's notice of privacy practices;
  • Modify individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others;
  • Enhance the enforcement rule, adding provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect and incorporating the increased and tiered civil money penalty structure required under the HITECH Act.


Effect on Business Associates

The omnibus final rule specifies that business associates now include health information organizations, e-prescribing gateways, or others that provide data transmission services with respect to protected health information to a covered entity and that require routine access to the health information. A business associate also includes those who offer a personal health record to one or more individuals on behalf of a covered entity.

As for "health information organization," HHS said in its regulations that it has declined to provide a definition. "We recognize that the industry continues to develop, and thus the type of entities that may be considered health information organizations continues to evolve. For this reason, we do not think it prudent to include in the regulation a specific definition at this time. We anticipate continuing to issue guidance in the future on the types of entities that do and do not fall within the definition of a business associate, which can be updated as the industry evolves."


New Updated Training

Because of these significant changes, Healthcare Compliance Pros (HCP) will be updating your training in order for you to be fully compliant with the new HIPAA Omnibus Rule. We will advise you when that new training is ready for you and your employees. Our projected date for the availability of the new training is mid-June 2013.