HIPAA: The Final Rule

HIPAA: The Final Rule

Summary: HHS has announced the “final rule” on HIPAA (effective March 26, 2013) which extends patient rights, imposes more severe penalties for breach, and extends HIPAA compliance to Business Associates and subcontractors.

After 3 years and hundreds of proposals, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has released what is referred to as:

  • The Omnibus Rule
  • The Final Rule
  • The Final Act
  • The Mega Rule

The Rule becomes effective as of March 26, 2013 requiring physicians as well as other covered entities to be in compliance as of Sept 23, 2013. The government has released cost estimates for complying with new forms, documents, contracts, and practices to be somewhere between $114 million and $225 million.

History of HIPAA

1996 – HIPAA Enacted


  • Published NRPM transactions
  • Published code sets
  • Published national employer identifier
  • Published security

1999 –Clinton Administration announced proposed rules on Privacy Standards for Individually identifiable health information, which was HIPAA Compliancepublished in the Federal Register


  • 60 day comment period for Privacy Standards which was extended
  • Transaction and code sets final rule published
  • Privacy final rule published


  • CMH announced the adoption of EIN as the standard unique identifier for employers in the filing and processing of health care claims
  • Final modifications to the Privacy Rule published


  • Modifications to transactions and code sets regulation and implementation guide addenda published
  • Privacy compliance deadline
  • Interim final rule on civil money penalties procedures published
  • Interim final rule on electronic submission of Medicare claims published
  • Set expected date for transaction and code sets for small health plans and covered entities that filed a compliance plan to delay implementation

2004 – standard unique employer identifier compliance deadline

2005 – security compliance deadline

2007 – national provider identifier compliance deadline

2008 – national provider identifier compliance deadline for small health plans and the end of NPI contingency period

2012 – HIPAA 5010 compliance date


  • ICD-10 compliance expected
  • HIPAA Final Rule

Quotes on the Rule itself

HIPAA 5010 Discover HHS's "final rule" on HIPAA, effective since March 26, 2013.

Secretary Kathleen Sebelius – “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”

OCR Director Leon Rodriguez, J.D. said the final rule “marked the most sweeping changes to the HIPAA privacy and security rule since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

The Rule is appropriately named as it brings finality to four different rules which were previously proposed.

Finalizes 4 separate rule makings:

  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
  • Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
  • A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rules “harm” threshold with a more objective standard and supplants an interim final rule published August, 24, 2009.
  • A rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October HIPAA Compliance7, 2009.

Part 2 will explain the implications of this rule

BHM Healthcare Solutions – a healthcare management consulting firm.