New Era for Privacy Compliance: Overview of the HIPAA "Final Rule"
On January 25, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services published in the Federal Register a final omnibus rule ("Final Rule") that revises certain rules promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These revised rules were issued pursuant to changes enacted by Congress in the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act of 2008. Effective March 23, 2013, the Final Rule revises and finalizes an interim notice of proposed rulemaking that OCR had published in 2009, although in many cases the date by which "covered entities" regulated by HIPAA and their "business associates," as defined by the Final Rule, must comply with the new or modified rules will be September 23, 2013 or later. In some cases, the Final Rule grandfathers arrangements entered into under the Interim Rule.
Prior to the Interim Rule and the Final Rule, the HIPAA Privacy and Security Rules focused primarily on health care providers, health plans, and other entities that process health insurance claims. The Final Rule now expands many of the HIPAA Privacy and Security Rule requirements to directly regulate Business Associates that receive protected health information, including their subcontractors. Furthermore, penalties have been increased for noncompliance. The Final Rule also expands the duty to give notice to individuals when there has been a breach of unsecured protected health information. We address these changes in this White Paper.