Executive Summary -

On January 25, 2013, the Federal Register will publish final omnibus rules written by the U.S. Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act. While some of the rule changes are not surprising, others are very impactful and will markedly change the obligations imposed on covered entities, business associates and subcontractors. Some of the more significant provisions are described here, and a comprehensive review of all the key changes is provided in the pdf. Please feel free to contact us with questions.

Important Deadlines -

The compliance deadline for virtually every provision of these rules is September 23, 2013. A longer period is provided where updates to existing business associate and data use agreements are required; those agreements may not need to be updated until September 22, 2014 provided they are not modified or renewed prior to that date.

Breach Notification -

HHS has eliminated the harm threshold that provided notice of a security breach would only be required if the breach posed a significant risk of harm to affected individuals. It has provided instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can defeat this presumption by conducting a risk analysis using factors articulated by HHS, but the agency has made clear its expectation that impermissible uses and disclosures of readily accessible PHI will likely be a reportable breach. This change will mean an increase in the number of breaches reported.