A Side-by-Side Table Comparing the Administrative Simplification Regulations to the Changes in the Proposed, Interim Final, and Final Omnibus Rules Implementing HITECH, GINA, and PSQIA

Download full table as PDF here. [link]

Background

The 1996 HIPAA statute required the Secretary of the U.S. Department of Health and Human Services (HHS) to publish regulations implementing HIPAA’s Administrative Simplification provisions. From 2000 through 2004, the Secretary released five regulations (the Administrative Simplification regulations, or “Rules”), satisfying this requirement.1 HHS’ Office of Civil Rights (OCR) oversees compliance with the Security and Privacy Rules, while HHS’ Centers for Medicare & Medicaid Services (CMS) oversees compliance with the Transaction and Code Sets and Unique Identifiers Rule. Both OCR and CMS conduct their oversight in accordance with the provisions of the Enforcement Rule.

Several laws have modified or expanded the original HIPAA requirements, necessitating changes to all five Rules.  HITECH (of 2009) required changes to the Privacy, Security, and Enforcement Rules, and mandated the adoption of a sixth Rule – the Breach Notification Rule – to be overseen by OCR in accordance with the HITECH-modified provisions of the Enforcement Rule. GINA (of 2008) and PSQIA (of 2005) also made changes to the Privacy Rule. To comply with these requirements, the Secretary issued four separate rulemakings in 2009 and 2010 that made the changes required by HITECH, GINA, and PSQIA:

• Interim Final Rule issued on August 24, 2009 creating the Breach Notification Rule as required by HITECH.
• Proposed Rule issued on October 7, 2009 modifying the Privacy Rule as required by GINA.
• Interim Final Rule issued on October 30, 2009 modifying the Enforcement Act as required by HITECH.
• Proposed Rule issued on July 14, 2010 implementing the PSQIA requirement and the remaining HITECH requirements, modifying the Privacy, Security and Enforcement Rules.

On January 17, 2013, HHS released a Final Omnibus Rulemaking finalizing amendment of several sections of the Privacy, Security, Breach Notification and Enforcement Rules in accordance with these four rulemakings. The Final Rule will be effective on March 26, 2013; covered entities must be in compliance with the updated provisions as modified by the Final Rule by September 23, 2013.

This side-by-side table compares every provision of the Proposed/Interim Final Rules with the relevant sections of the HIPAA Administrative Simplification regulations as they originally existed, and with the updated provisions of the Final Omnibus Rule. Also available at healthinfolaw.com are an overview highlighting the most significant differences between the proposed and final rules and a section-by-section analysis giving a detailed description of both the proposed and finalized changes, as well as relevant comments received and HHS’ response.

Table of Contents

1.) The Privacy Rule (Part 164, Subpart E)

Download Privacy Rule table as a PDF here. [link]

• § 164.500 – Applicability
• § 164.501 – Definitions (health care operations, marketing, underwriting purposes, payment)
• § 164.502 – Uses and disclosures of protected health information: general rules
• § 164.504 – Uses and disclosures: Organizational requirements
• § 164.506 – Uses and disclosures to carry out treatment, payment, or health care operations
• § 164.508 – Uses and disclosures for which authorization is required
• § 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object
• § 164.512 – Uses and disclosures for which an authorization or opportunity to agree or object is not required
• § 164.514 – Other requirements relating to uses and disclosures of protected health information
• § 164.520 – Notice of privacy practices for protected health information
• § 164.522 – Rights to request privacy protection for protected health information
• § 164.524 – Access of individuals to protected health information
• § 164.530 – Administrative requirements
• § 164.532 – Transition provisions

2.) The Security Rule (Part 164, Subpart C)

Download Security Rule table as a PDF here. [link]

• § 164.302 – Applicability
• § 164.304 – Definitions
• § 164.306 – Security standards: General rules
• § 164.308 – Administrative safeguards § 164.310 – Physical safeguards
• § 164.312 – Technical safeguards
• § 164.314 – Organizational requirements
• § 164.316 – Policies and procedures and documentation requirements

3.) The Breach Notification Rule (Part 164, Subpart D)

Download Breach Notification Rule table as a PDF here. [link]

• § 164.400 – Applicability
• § 164.402 – Definitions (breach, unsecured protected health information)
• § 164.404 – Notification to individuals
• § 164.406 – Notification to the media
• § 164.408 – Notification to the Secretary
• § 164.410 – Notification by a business associate
• § 164.412 – Law enforcement delay
• § 164.414 – Administrative requirements and burden of proof

4.) The Enforcement Rule (Part 160, Subparts C, D, and E)

Download Enforcement Rule table as a PDF here. [link]

• § 160.300 – Applicability
• § 160.304 – Principles for achieving compliance
• § 160.306 – Complaints to the Secretary
• § 160.308 – Compliance reviews
• § 160.310 – Responsibilities of covered entities
• § 160.312 – Secretarial action regarding complaints and compliance reviews
• § 160.316 – Refraining from intimidation or retaliation
• § 160.401 – Definitions
• § 160.402 – Basis for a civil money penalty
• § 160.404 – Amount of a civil money penalty
• § 160.406 – Violations of an identical requirement or prohibition
• § 160.408 – Factors considered in determining the amount of a civil money penalty
• § 160.410 – Affirmative defenses § 160.418 – Penalty not exclusive
• § 160.420 – Notice of proposed determination
• § 160.534 – The hearing

5.) General Administrative Requirements Applicable to Subchapter C (All Six Rules) (Part 160, Subpart A)

Download General Administrative Requirements table as a PDF here. [link]

• § 160.101 – Statutory basis and purpose
• § 160.102 – Applicability
• § 160.103 – Definitions (business associate, subcontractor, protected health information, State, electronic media, health information, genetic information, genetic test, genetic services, family member, manifestation or manifested)
• § 160.105 – Compliance dates for implementation of new or modified standards and implementation specifications

6.) General Provisions Applicable to Part 164 (the Security, Breach Notification, and Privacy Rules) (Part 164, Subpart A)

Download General Provisions Applicable to Part 164 table as a PDF here. [link]

• § 164.102 – Statutory basis
• § 164.103 – Definitions (law enforcement official)
• § 164.104 – Applicability
• § 164.105 – Organizational requirements
• § 164.106 – Relationship to other parts

7.) State Preemption Requirements Applicable to Subchapter C (All Six Rules) (Part 160, Subpart B)

Download State Preemption Requirements table as a PDF here. [link]

• § 160.201 – Applicability
• § 160.202 – Definitions (contrary, more stringent)