Summary: HHS has announced the “final rule” on HIPAA (effective March 26, 2013) which extends patient rights, imposes more severe penalties for breach, and extends HIPAA compliance to Business Associates and subcontractors.
After 3 years and hundreds of proposals, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has released what is referred to as:
- The Omnibus Rule
- The Final Rule
- The Final Act
- The Mega Rule
The “Final Rule” becomes effective as of March 26, 2013 requiring physicians as well as other covered entities to be in compliance as of Sept 23, 2013. The government has released cost estimates for complying with new forms, documents, contracts, and practices to be somewhere between $114 million and $225 million.
History of HIPAA
1996 – HIPAA Enacted
- Published NRPM transactions
- Published code sets
- Published national employer identifier
- Published security
- 60 day comment period for Privacy Standards which was extended
- Transaction and code sets final rule published
- Privacy final rule published
- CMH announced the adoption of EIN as the standard unique identifier for employers in the filing and processing of health care claims
- Final modifications to the Privacy Rule published
- Modifications to transactions and code sets regulation and implementation guide addenda published
- Privacy compliance deadline
- Interim final rule on civil money penalties procedures published
- Interim final rule on electronic submission of Medicare claims published
- Set expected date for transaction and code sets for small health plans and covered entities that filed a compliance plan to delay implementation
2004 – standard unique employer identifier compliance deadline
2005 – security compliance deadline
2007 – national provider identifier compliance deadline
2008 – national provider identifier compliance deadline for small health plans and the end of NPI contingency period
2012 – HIPAA 5010 compliance date
- ICD-10 compliance expected
- HIPAA Final Rule
Quotes on the “Final Rule”
OCR Director Leon Rodriguez, J.D. said the final rule “marked the most sweeping changes to the HIPAA privacy and security rule since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
The “Final Rule” is appropriately named as it brings finality to four different rules which were previously proposed.
Finalizes 4 separate rule makings:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rules “harm” threshold with a more objective standard and supplants an interim final rule published August, 24, 2009.
- A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
Part 2 will explain the implications of the “Final Rule”.
BHM Healthcare Solutions – a healthcare management consulting firm.