On Jan. 17, 2013, the Department of Health and Human Services (“HHS”) released the Omnibus Final Rule (“Final Rule”) that affects several aspects of the Health Insurance Portability Act of 1996 (“HIPAA”). The new rule becomes effective March 26, 2013, and Covered Entities and Business Associates must comply by September 23, 2013.
The Final Rule updates the “Privacy Rule”, “Security Rule” and “Enforcement Rule” and includes the following key changes:
1) Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules.
2) Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure
3) Final rule on Breach Notification for unsecured Protected Health Information that replaces the “harm” threshold with a default presumption that any acquisition, use, or disclosure that violates the Privacy Rule is a “Breach” unless a risk assessment indicates a “low probability” of compromise.
4) Final rule and definitions modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)
5) The Final Rule re-defines “health information” to include “genetic information”, meaning that individually identifiable genetic information is Protected Health Information (PHI) for Covered Entities and their Business Associates.
6) New requirements for Notice of Privacy Practices and restrictions on disclosures of information for services “paid-in-full” out-of-pocket.
So what do I need to do?
- In order to comply want to review and update your Notice of Privacy Practices, Business Associate agreements, and your Breach Assessment procedures.
- Conducting a risk assessment is a critical activity. Technical security vulnerability assessments are also useful to prioritize activities.
- Assess each of your vendors privacy and security capabilities and enter into Business Associate agreements with cloud vendors.
- Address significant risks of Breach such as un-encrypted laptops.
