​In January 2013, the U.S. Department of Health & Human Services issued a HIPAA Omnibus Rule which implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule aims to strengthen the privacy and security protections for health information established under Health Insurance Portability and Accountability Act of 1996 (HIPAA).

September 23, 2013 marked the first day that health care organizations and their business associates will need to be in compliance with the HIPAA Omnibus Rule.  

Important Dates

• January 25, 2013 – Final Omnibus Rule Published in Federal Register
• March 26, 2013 – Effective Date
• September 23, 2013 – Compliance Date
• Up to September 22, 2014 – Transition Period to Conform Business Associate Contracts

Summary of Changes

• Expands many of the requirements to business associates of entities that receive protected health information, such as contractors and subcontractors.
• Increases penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
• Strengthens HITECH Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
• • Breach notifications will now be expected unless a business associate can demonstrate a low probability that personal health information (PHI) has been compromised based on risk assessment.
• Allows patients to ask for a copy of their electronic medical record in an electronic form.  
• Allows individuals that pay by cash to instruct their provider not to share information about their treatment with their health plan. 
• Sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ PHI without their permission.
• Streamlines individuals’ ability to authorize the use of their PHI for research purposes. 
• Makes it easier for parents and others to give permission to share proof of a child’s immunization with a school.
• Gives covered entities and business associates up to one year after the compliance date to modify contracts to comply with the rule.

Resources

• Press Release on the HIPAA Omnibus Rule - http://www.hhs.gov/news/press/2013pres/01/20130117b.html
• HIPAA: Frequently Asked Questions - http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
• A Guide to Privacy and Security of Health Information - http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
• VIDEO: Ensuring the Safety of Electronic Health Records -
• Federal Register Posting of the HIPAA Omnibus Rule - http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
• Notices of Privacy Practices - http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html