The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a 563-page omnibus final rule last Thursday, updating the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and enforcement regulations, as required by the Health Information Technology for Economic and Clinical Health Act (part of the American Recovery and Reinvestment Act of 2009 (ARRA)). Notably, the rule extends direct liability for violations of HIPAA and underlying contractual arrangements to business associates, including contractors and subcontractors of covered entities (providers, health plans, and clearinghouses). The rule also outlines noncompliance penalties, which vary depending on level of negligence and are capped at $1.5 million and expands patient rights, including providing improved access to electronic medical records and enabling patients to limit the disclosure of information related to out-of-pocket payments for treatments. Modifications to the breach notification requirements and changes required by the Genetic Information Nondiscrimination Act of 2008 are also included.
The final rule becomes effective on March 26, 2013. HIPAA-covered entities and business associates must be in compliance with the new regulations by September 23, 2013.
A detailed summary and analysis of the final rule will be posted on healthinfolaw.org soon.
The public inspection version of the rule can be accessed here: https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
The final rule be officially published in the Federal Register on January 25, 2013 (see OFR site here: http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR).
.png)