Introduction
The enactment of HIPAA in 19961 and promulgation of HIPAA Privacy, Security, and Enforcement Rules2 established standards for the use and disclosure of health information. Subsequent legislation required changes to those privacy and security requirements, as well as new and expanded requirements for enforcement (including penalties) and breach notification. Specifically, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (HITECH),3 enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), established legal standards and programs to foster and support the use of interoperable health information technology and health information exchange. To ensure the privacy of protected health information, HITECH modified provisions of the Social Security Act related to the HIPAA rules and required significant changes to strengthen the HIPAA Privacy, Security, and Enforcement Rules themselves. Another recently enacted statute, the Genetic Information Nondiscrimination Act of 2008 (GINA),4 prohibits the use of genetic information by certain health plans for underwriting purposes, which required changes to the HIPAA Privacy Rule to specifically protect genetic information like other protected health information.
On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the long-awaited omnibus final rule5 including modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules required by the HITECH Act and revisions to the HIPAA Privacy Rule as required by GINA. HHS also used its regulatory authority to make a number of other changes to make the rules consistent with other Departmental regulations.
The omnibus Final Rule includes four separate rulemakings:
- Final rule implementing modifications to the HIPAA Privacy, Security, and Enforcement Rules as required by HITECH that was included in a proposed rule on July 14, 2010.6
- Final rule implementing changes to the HIPAA Enforcement Rule as required by HITECH that was published as an interim final rule on October 30, 2009.7
- Final rule implementing changes to the Breach Notification for Unsecured Protected Health Information as required by HITECH that was published as an interim final rule on August 24, 2009.8
- Final rule modifying the HIPAA Privacy Rule as required by GINA that was published as a proposed rule on October 7, 2009.9
This Final Rule does not address the HITECH accounting for disclosures requirement10 that was addressed in a proposed rule on May 31, 2011.11 HHS indicated that a separate final rule would be released in the future.
The Final Rule will be effective on March 26, 2013. HHS is allowing covered entities and business associates 180 days beyond the effective date to come into compliance with most of the provisions, including the modifications to the Breach Notification Rule and the GINA changes to the HIPAA Privacy Rule. However, this grace period does not apply to the HITECH breach of unsecured protected health information provisions that became effective through the Interim Final Rule on September 23, 2009.
This section-by-section analysis gives a detailed description of the changes made in the Final Rule, as well as significant comments received and HHS’ response. Also available at www.healthinfolaw.com are an overview highlighting the most significant changes and a side-by-side table comparing the proposed and final rules.
Download PDF by clicking here. [Updated April 18, 2016]
Enter the password to open this PDF file:
Footnotes
- 1. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
- 2. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (December 28, 2000).
- 3. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009), Division A, Title XIII and Division B, Title IV, Health Information Technology for Economic and Clinical Health Act (HITECH Act) (codified at 42 U.S.C. § 17930, et seq).
- 4. The Genetic Information Nondiscrimination Act of 2008 (GINA), Pub. L. No. 110-233, 122 Stat. 881 (2008) (codified in scattered sections of 26, 29, and 42 U.S.C.).
- 5. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (January 25, 2013) (to be codified at 45 CFR pts 160 and 164).
- 6. Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information
- 7. HIPAA Administrative Simplification: Enforcement; Interim Final Rule with Request for
- 8. Breach Notification for Unsecured Protected Health Information; Interim Final Rule with Request for Comments, 74 Fed. Reg. 42740 (August 24, 2009).
- 9. Interim Final Rules Prohibiting Discrimination Based on Genetic Information in Health Insurance
- 10. HITECH Act, § 13405.
- 11. HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Notice of Proposed Rulemaking, 76 Fed. Reg. 31426 (proposed May 31, 2011) (to be codified at 45 C.F.R. Part 164).