Summary: HHS has announced the “final rule” on HIPAA (effective March 26, 2013) which extends patient rights, imposesHIPAA Compliance more severe penalties for breach, and extends HIPAA compliance to Business Associates and subcontractors.We’ll also discuss the Omnibus Rule and much more.

Beyond the Omnibus Rule, let’s discuss the “Final Rule.”.After 3 years and hundreds of proposals, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has released what is referred to as:

  • The Omnibus Rule
  • The Final Rule
  • The Final Act
  • The Mega Rule

The “Final Rule” becomes effective as of March 26, 2013 requiring physicians as well as other covered entities to be in compliance as of Sept 23, 2013. The government has released cost estimates for complying with new forms, documents, contracts, and practices to be somewhere between $114 million and $225 million.

Part 1 dealt with the history of HIPAA and the 4 rules which were finalized and included in the “Final Rule”.

Now that we have run through the history of HIPAA, what does the “Final Rule” mean?

What are the implications of the “Final Rule”?

Extends the requirements of HIPAA to both Business Associates and subcontractors which have access to protected health information and requires the contracts to be modified to include this language

Clarifies definition of “marketing” and establishes the limitations on the use of personal health information for the purpose of marketing as well as fundraising. Marketing is now defined as “making a communication that encourages the purchase or use of a product or service where the covered entity receives financial remuneration from a third party for making the communication”.

Streamlines the process for authorizing the use of health information in regard to research purposes

Makes the process simpler for parents to give permission to share proof of child’s immunizations with a school

Clarifies the risk of harm clause:

  • Proposed – HHS had established a harm standard that “a breach does not occur unless the access, use or disclosure poses a significant risk of financial, reputational, or other harm to an individual.”
  • Final – “Providers should assume that any impermissible disclosure is a breach requiring notification unless they can demonstrate there is low probability that protected information was disclosed”.

Prohibits the sale of a patient’s health information without authorization from the patient

Expands the patient’s rights to request and receive electronic copies of their personal health information and to restrict disclosure of health insurance plans

Requires the modification of privacy practices and the redistribution to individuals of interestHIPAA 5010 and the Omnibus Rule

Enhances the privacy protections of patients

Enhances the government’s ability to enforce the law by increasing penalties per violation up to $1,500,000 and changed the definition of the word “breach”

September 2013 is going to be here before you know it. Will you be HIPAA compliant? 2012 introduced HIPAA 5010 and that was just a prelude to the changes for 2013.

BHM Healthcare Solutions – a healthcare management consulting firm