Business Law Legal Topics New Legal Developments

Medical Privacy: the Final Final Rule

56362913In March, at long last, the US Department of Health and Human Services released a final Omnibus Rule on privacy and security of personal health information. Some have labeled the Rule a “sweeping reform,” but, in fact, it largely just replaces and finalizes prior “interim” final rules and proposed rules. But there are some important changes you should know about.

The final Omnibus Rule enhances privacy and security of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Business attorneys beware: the final rule implements many important changes that will impact more business entities than ever. For example, a key provision makes business associates of health care organizations, such as contractors and subcontractors, subject to HIPAA privacy and security requirements. Health care organizations and their business associates must modify their contracts to comply.

Other notable changes include:

  • An expanded definition of business associate;
  • Increased penalties for security breaches of up to $1.5 million per violation;
  • Clarification of when a health care provider must give notice of a security breach (the former “harm” threshold has been replaced with a more objective standard);
  • Prohibitions on health plans using genetic information for underwriting purposes;
  • Expanded patients’ rights to request electronic copies of their medical records;
  • The ability of patients who pay cash to request that their treatment information not be shared with their health plans;
  • More stringent limits on using patient information for marketing and fundraising;
  • Streamlining of a patient’s ability to authorize use of health information for research; and
  • Provisions making it easier for a parent to share proof of  a child’s immunization with schools.

The HIPAA Omnibus Rule was effective as of March 26, 2013, but most covered entities and business associates have until September 26, 2013, to comply with it.

The Department of Health and Human Services has provided some 500 pages of helpful commentary (.pdf) in the Federal Register that explain, interpret, and clarify the new rules. For practitioners sorting out the new rules, this guidance should be invaluable.

To stay on top of all the legal issues around business and consumer information privacy, data security, and health information privacy, turn to CEB’s Privacy Compliance and Litigation in California.

Related CEB blog posts:

© The Regents of the University of California, 2013. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

Add your comment to the blog post

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s