The Final Rule HIPAA (Omnibus Rule, Final Act, Mega Rule) Part 1

Summary: HHS has announced the “final rule” on HIPAA (effective March 26, 2013) which extends patient rights, imposes more severe penalties for breach, and extends HIPAA compliance to Business Associates and subcontractors.

After 3 years and hundreds of proposals, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has released what is referred to as:

The Omnibus Rule
The Final Rule
The Final Act
The Mega Rule

The Rule becomes effective as of March 26, 2013 requiring physicians as well as other covered entities to be in compliance as of Sept 23, 2013. The government has released cost estimates for complying with new forms, documents, contracts, and practices to be somewhere between $114 million and $225 million.

History of HIPAA

1996 – HIPAA Enacted

1998

Published NRPM transactions
Published code sets
Published national employer identifier
Published security

1999 –Clinton Administration announced proposed rules on Privacy Standards for Individually identifiable health information, which was published in the Federal Register

2000

60 day comment period for Privacy Standards which was extended
Transaction and code sets final rule published
Privacy final rule published

2002

CMH announced the adoption of EIN as the standard unique identifier for employers in the filing and processing of health care claims
Final modifications to the Privacy Rule published

2003

Modifications to transactions and code sets regulation and implementation guide addenda published
Privacy compliance deadline
Interim final rule on civil money penalties procedures published
Interim final rule on electronic submission of Medicare claims published
Set expected date for transaction and code sets for small health plans and covered entities that filed a compliance plan to delay implementation

2004 – standard unique employer identifier compliance deadline

2005 – security compliance deadline

2007 – national provider identifier compliance deadline

2008 – national provider identifier compliance deadline for small health plans and the end of NPI contingency period

2012 – HIPAA 5010 compliance date

2013

ICD-10 compliance expected
HIPAA Final Rule

Quotes on the Rule itself

Secretary Kathleen Sebelius – “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”

OCR Director Leon Rodriguez, J.D. said the final rule “marked the most sweeping changes to the HIPAA privacy and security rule since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

The Rule is appropriately named as it brings finality to four different rules which were previously proposed.

Finalizes 4 separate rule makings:

Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rules “harm” threshold with a more objective standard and supplants an interim final rule published August, 24, 2009.
A rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.