The final omnibus rule published on Jan. 25, 2013 to modify the HIPAA privacy, security, breach notification and enforcement rules, as well as the Genetic Information Nondiscrimination Act, became effective on March 26.

However, the compliance date for the rule is September 23, 2013. Organizations have one year from the compliance date--and 18 months from today--to modify business associate agreements to match new requirements.

The final rule significantly strengthens the chain of responsibility to protect health information among covered entities, business associates and subcontractors. The rule makes business associates and subcontractors comply with HIPAA rules in the same manner covered entities must; making BAs and subcontractors directly liable for HIPAA violations--even if a BA failed to enter into a formal contract with a subcontractor--and making covered entities and business associates legally liable for the acts of their business associates. The BA for a business associate would be a subcontractor. The BA--not the covered entity--is responsible for having a subcontractor appropriately safeguard information, but the covered entity is responsible for the BA’s actions.

Another major change is in the breach notification rule, where the “harm threshold,” a subjective measure of determining whether a breach has or could cause significant harm to one or more individuals, has been replaced with a more objective risk assessment process to determine if protected information has been compromised.

Other provisions in the final rule include:

* Setting four-tier financial penalty structure for breaches deemed serious enough to warrant a federal-imposed penalty. Based on culpability, fines range from $100 to $50,000 per violation with a $1.5 million cap on violations of an identical provision within a calendar year.

* Expanding the definition of business associates to include patient safety organizations, health information organizations, e-prescribing gateways,  providers of data transmission services for protected health information to a covered entity and requiring routine access to PHI, or personal health record vendors offering PHRs to individuals on behalf of a covered entity. PHRs offered directly only to individuals are not covered.

* Clarifying that PHI stored in photocopiers, faxes and other office equipment that retain data, whether intentionally or not, is subject to the privacy and security rules, and PHI should be wiped before a device is removed from the office.

* Applying to business associates the minimum necessary standard when using or disclosing PHI, or when requesting PHI from another covered entity or business associate.

* Enabling patients to ask for a copy of their electronic medical record in an electronic form, with fees charged not greater than labor costs.

* Enabling patients paying with cash to instruct providers to not make information about their treatment available to insurers. Separate or segregated records are not required, but some type of flag or other notification of restrictions in the record are necessary.

* Enabling patients to easily opt out of receiving fundraising and marketing solicitations.

* Prohibiting the sale of an individuals’ health information without their express consent, with exemptions when the information is used for public health activities or research purposes.

The final rule, published Jan. 25, is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access