Don't Get Pinched by New HHS PHI Rules


HHS has released its much-anticipated final omnibus rule about protected health information. The rule addresses privacy and security issues, including defining a business associate and expanding individuals' rights to electronic copies, as well as breach notification considerations.

In late January, the Department of Health and Human Services issued its much-anticipated 563-page final omnibus rule regulating protected health information (PHI). These new regulations finalize many changes previously proposed to the Privacy, Security and Enforcement Rules, and modify the Breach Notification Rule initially adopted in August 2009. In addition, the new regulations extend HIPAA application to business associates.

The new Rules are effective March 26, 2013. All covered entities must comply with the new Rules by September 23, 2013. The main areas addressed include:

Privacy and Security

  • activities that define a business associate, including merely storing or maintaining PHI
  • direct liability of business associates and their subcontractors for compliance failures
  • required modifications to privacy notices
  • expanded rights of individuals to receive electronic copies of their PHI
  • expanded limits on the sale or use of PHI, including for marketing/fundraising purposes

Breach Notification

The rule recognizes that not all HIPAA violations require breach notification. The four primary factors to consider are:

  • the nature and extent of the information released
  • who received the information
  • whether the information was actually viewed by anyone
  • the extent to which the risk was mitigated


Penalties for non-compliance have increased to a maximum of $1.5 million per violation and vary based on the negligence involved.

Genetic Information

The rule also includes enhanced privacy protections for genetic information, in conformity with the Genetic Information Nondiscrimination Act.

Next Steps

Review and update your HIPAA practices and policies, compliance manual and Business Associate Agreements, as well as provide updated training to employees who access or maintain protected health information.

If you have questions about how the omnibus rule affects your business, please contact any of our more than 70 Labor & Employment attorneys located in Birmingham, Alabama; Atlanta, Georgia; Baton Rouge, Mandeville and New Orleans, Louisiana; Jackson, Mississippi; Chattanooga, Johnson City, Knoxville, Memphis and Nashville, Tennessee; and Houston, Texas.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:


Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.