HHS Releases HIPAA Privacy, Security, Enforcement, and Breach Notification Rules

The Department of Health and Humans Services (HHS) recently released the Health Insurance Portability and Accountability Act (HIPAA) final rule. Notably, the rule modifies the HIPAA Privacy, Security, and Enforcement rules under the Health Information Technology for Economic and Clinical Health (HITECH Act). The rule also integrates the increased and tiered civil money penalty arrangement of the HITECH Act and replaces the breach notification rule’s “harm” threshold with a more objective standard. HHS also strengthens privacy protections for genetic information under the HIPAA Privacy Rule.

According to the final rule, HHS implements modifications to the HIPAA Rules that include the following:

• Requires business associates of covered entities to comply with certain provisions of the HIPAA Privacy and Security Rules;
• Expands individuals’ rights to receive electronic copies of their health information; and
• Restricts health plan disclosures for treatment for patients who have paid out of pocket.

The final rule will take effect on March 26. Cover entities and business associates must comply with the applicable provisions of the rule by September 23.

The HHS news release on the new HIPAA rule is available at:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html.

The final rule is available at:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other modifications to HIPAA Rules, 78 Fed. Reg. 17, 5566, 5566 (January 25, 2013).

Centers for Medicare & Medicaid Services. “New Rule Protects Patient Privacy, Secures Health Information.” News Release. 17 Jan. 2013.