On Friday, January 25, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services ("HHS") published a final rule modifying the HIPAA Privacy, Security, and Enforcement Rules (the "Final Rule") as mandated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act. Many of these modifications were set forth in a Notice of Proposed Rulemaking ("NPRM") dated July 14, 2010, although the Final Rule does not adopt all the proposals as described in the NPRM.
The Final Rule also modifies the Breach Notification Rule, which has been effective as an interim final rule since September 23, 2009. Finally, the Final Rule strengthens privacy protections for certain genetic information under the Genetic Information Nondiscrimination Act ("GINA").
The Final Rule makes significant changes to HIPAA and the potential penalties for violating HIPAA. The Final Rule also expands the scope of HIPAA, meaning that some businesses that were not subject to HIPAA before the Final Rule now have HIPAA compliance obligations and can be subject to enforcement action for noncompliance. Healthcare providers and others in the healthcare industry should be aware of these changes and how they will apply to their particular business.
The Final Rule is effective on March 26, 2013, and Covered Entities and Business Associates must comply with the Final Rule by September 23, 2013.
Click each subheading below for a detailed summary of some of the key provisions of the Final Rule: