Don't Get Pinched by New HHS PHI Rules

more+
less-

HHS has released its much-anticipated final omnibus rule about protected health information. The rule addresses privacy and security issues, including defining a business associate and expanding individuals' rights to electronic copies, as well as breach notification considerations.

In late January, the Department of Health and Human Services issued its much-anticipated 563-page final omnibus rule regulating protected health information (PHI). These new regulations finalize many changes previously proposed to the Privacy, Security and Enforcement Rules, and modify the Breach Notification Rule initially adopted in August 2009. In addition, the new regulations extend HIPAA application to business associates.

The new Rules are effective March 26, 2013. All covered entities must comply with the new Rules by September 23, 2013. The main areas addressed include:

Privacy and Security

  • activities that define a business associate, including merely storing or maintaining PHI
  • direct liability of business associates and their subcontractors for compliance failures
  • required modifications to privacy notices
  • expanded rights of individuals to receive electronic copies of their PHI
  • expanded limits on the sale or use of PHI, including for marketing/fundraising purposes

Breach Notification

The rule recognizes that not all HIPAA violations require breach notification. The four primary factors to consider are:

  • the nature and extent of the information released
  • who received the information
  • whether the information was actually viewed by anyone
  • the extent to which the risk was mitigated

Enforcement

Penalties for non-compliance have increased to a maximum of $1.5 million per violation and vary based on the negligence involved.

Genetic Information

The rule also includes enhanced privacy protections for genetic information, in conformity with the Genetic Information Nondiscrimination Act.

Next Steps

Review and update your HIPAA practices and policies, compliance manual and Business Associate Agreements, as well as provide updated training to employees who access or maintain protected health information.

If you have questions about how the omnibus rule affects your business, please contact any of our more than 70 Labor & Employment attorneys located in Birmingham, Alabama; Atlanta, Georgia; Baton Rouge, Mandeville and New Orleans, Louisiana; Jackson, Mississippi; Chattanooga, Johnson City, Knoxville, Memphis and Nashville, Tennessee; and Houston, Texas.

Topics:  Business Associates, Data Breach, Data Protection, HHS, HIPAA, HIPAA Omnibus Rule, Notice Requirements, PHI

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »