In March, at long last, the US Department of Health and Human Services released a final Omnibus Rule on privacy and security of personal health information. Some have labeled the Rule a “sweeping reform,” but, in fact, it largely just replaces and finalizes prior “interim” final rules and proposed rules. But there are some important changes you should know about.
The final Omnibus Rule enhances privacy and security of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Business attorneys beware: the final rule implements many important changes that will impact more business entities than ever. For example, a key provision makes business associates of health care organizations, such as contractors and subcontractors, subject to HIPAA privacy and security requirements. Health care organizations and their business associates must modify their contracts to comply.
Other notable changes include:
- An expanded definition of business associate;
- Increased penalties for security breaches of up to $1.5 million per violation;
- Clarification of when a health care provider must give notice of a security breach (the former “harm” threshold has been replaced with a more objective standard);
- Prohibitions on health plans using genetic information for underwriting purposes;
- Expanded patients’ rights to request electronic copies of their medical records;
- The ability of patients who pay cash to request that their treatment information not be shared with their health plans;
- More stringent limits on using patient information for marketing and fundraising;
- Streamlining of a patient’s ability to authorize use of health information for research; and
- Provisions making it easier for a parent to share proof of a child’s immunization with schools.
The HIPAA Omnibus Rule was effective as of March 26, 2013, but most covered entities and business associates have until September 26, 2013, to comply with it.
The Department of Health and Human Services has provided some 500 pages of helpful commentary (.pdf) in the Federal Register that explain, interpret, and clarify the new rules. For practitioners sorting out the new rules, this guidance should be invaluable.
To stay on top of all the legal issues around business and consumer information privacy, data security, and health information privacy, turn to CEB’s Privacy Compliance and Litigation in California.
Related CEB blog posts:
- Privacy Rights in the World of Video Games
- Privacy for Employees’ Personal Emails — It’s All in the Policy
- Privacy for Your Guilty Viewing Pleasures
© The Regents of the University of California, 2013. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.