HHS unveils final HIPAA omnibus rule
The long-awaited expansion of the Health Insurance Portability and Accountability Act of 1996, unveiled Thursday afternoon by the U.S. Department of Health & Human Services, comprises four final rules, according to HHS "which have been combined to reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities."
The four rules that combine to create the omnibus final rule include:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
- A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
"Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in a statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
According to HHS, contractors, subcontractors and other business associates of healthcare entities that process health insurance claims now will be liable for the protection of private patient information under the updated rule. In addition, monetary penalties for noncompliance with the rule have increased, with a maximum penalty of $1.5 million per violation.
The rule also sets new rules for how patient information can be used for marketing and fundraising purposes, and ensures that such information cannot be sold without a patient's permission.
"This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," HHS Office for Civil Rights Director Leon Rodriguez said in a statement. "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
The final rule was accepted for review by the Office of Management and Budget last March and had been dubbed as moving to its final clearance hurdle by Susan McAndrew, Deputy Director for Health Information Privacy at OCR at that time. It had been anticipated that the rule would be published last summer.
The new rule will be effective March 26, with a compliance date of Sept. 23.