Highlights of the Final Omnibus HIPAA Rule

Background

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the long-awaited omnibus Final Rule1 including modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules required by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)2 and revisions to the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act of 2008 (GINA).3  HHS also used its regulatory authority to make additional changes to make the rules consistent with other Departmental regulations. 

Since the passage of HIPAA in 19964 and promulgation of the HIPAA Privacy, Security, and Enforcement Rules,5 there has been significant legislative activity affecting how health information may be used and disclosed, including changes to the privacy and security requirements as well as expanded and new requirements for the enforcement process (including penalties) and breach notification.  Specifically, the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA),6 is designed to foster and support the use of interoperable health information technology and health information exchange.  To ensure the privacy of protected health information, HITECH modified provisions of the Social Security Act related to the HIPAA rules and required significant changes to strengthen the HIPAA Privacy, Security, and Enforcement Rules themselves.  It also included new notification requirements for breaches of unsecured protected health information.  Also since the promulgation of the original HIPAA rules, GINA was enacted to prohibit the use of genetic information by certain health plans for underwriting purposes and required changes to the HIPAA Privacy Rule to specifically protect genetic information like other protected health information. 

The omnibus Final Rule includes four separate rulemakings:

1. Final rule implementing modifications to the HIPAA Privacy, Security, and Enforcement Rules as required by HITECH that were  included in a proposed rule on July 14, 2010.7
2. Final rule implementing changes to the HIPAA Enforcement Rule as required by HITECH that was published as an Interim Final Rule on October 30, 2009.8
3. Final rule implementing changes to the Breach Notification for Unsecured Protected Health Information Rule as required by HITECH that was published as an Interim Final Rule on August 24, 2009.9
4. Final rule modifying the HIPAA Privacy Rule as required by GINA that was published as a proposed rule on October 7, 2009.10

This Final Rule does not address the HITECH accounting for disclosures requirement11 that was addressed in a proposed rule on May 31, 2011.12  HHS indicated that a separate final rulemaking will be released in the future.

The Final Rule will be effective on March 26, 2013.  HHS is allowing covered entities and business associates 180 days beyond the effective date to come into compliance with most of the provisions, including the modifications to the Breach Notification Rule and the GINA changes to the HIPAA Privacy Rule.  However, this grace period does not apply to the HITECH breach of unsecured protected health information provisions that became effective through the Interim Final Rule on September 23, 2009.

This overview highlights key changes of the four prior rulemakings in this Final Rule.  A longer, more comprehensive analysis will be released shortly. 

Download the full Overview as a PDF