On January 17, 2013, the Department of Health and Human Services released the long-awaited final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) regulations. The final rule, at 563 pages, is sure to cause a spike in sales of printer toner.
The final rule includes changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) to the HIPAA Privacy, Security, and Enforcement Rules including:
- Making business associates directly liable for compliance with select HIPAA Privacy and Security Rule requirements;
- Increased limitations on the use and disclosure of Protected Health Information (PHI) for marketing and fundraising purposes;
- Expansion of individual rights to receive health information in electronic form;
- Expansion of individual rights to restrict disclosure of health information to health plans when the individual has fully paid for the costs of treatment out of pocket;
- Requiring modifications to, and redistribution of, a covered entity’s notice of privacy practices;
- Modification to authorization and other requirements to facilitate research and disclosure of immunization information to schools; and
- Additions to the Enforcement Rule including enforcement of noncompliance with HIPAA Rules due to willful neglect and changes to the civil money penalty.
Breach notification requirements were also modified by the final rule. The final rule removed the “harm standard” found in the interim rule that limited notification obligations to those breaches that posed significant financial, reputational, or other harm to individuals. Now under the final rule, any disclosure of protected health information is presumed a “breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” As a result, the breach notification threshold has been effectively lowered.
Lastly, the final rule modifies HIPAA as mandated by Genetic Information Nondiscrimination Act (GINA) to prohibit genetic information from being used in the underwriting process by most health plans.
The final rule is effective on March 26, 2013, with compliance required by September 23, 2013.