On January 25, 2013, the Office for Civil Rights
("OCR") of the U.S. Department of Health and Human
Services published in the Federal Register a final omnibus
rule ("Final Rule") that revises certain rules
promulgated under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"). These revised rules
were issued pursuant to changes enacted by Congress in the Health
Information Technology for Economic and Clinical Health Act
and the Genetic Information Nondiscrimination Act of 2008.
Effective March 23, 2013, the Final Rule revises and finalizes an
interim notice of proposed rulemaking that OCR had published
in 2009, although in many cases the date by which "covered
entities" regulated by HIPAA and their "business
associates," as defined by the Final Rule, must comply with
the new or modified rules will be September 23, 2013 or later. In
some cases, the Final Rule grandfathers arrangements entered into
under the Interim Rule.
Prior to the Interim Rule and the Final Rule, the HIPAA Privacy
and Security Rules focused primarily on health care providers,
health plans, and other entities that process health insurance
claims. The Final Rule now expands many of the HIPAA Privacy and
Security Rule requirements to directly regulate Business Associates
that receive protected health information, including their
subcontractors. Furthermore, penalties have been increased for
noncompliance. The Final Rule also expands the duty to give notice
to individuals when there has been a breach of unsecured protected
health information. We address these changes in this White
Paper.
Click here to view the White
Paper.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.