HHS Finalizes Comprehensive Modifications to HIPAA Regulations in Omnibus Final Rule


On Thursday, January 17, 2013, the Department of Health and Human Services Office for Civil Rights (“HHS”) released in pre-publication form the rule commonly known as the “HIPAA Omnibus Rule,” which we refer to below as the “Final Rule.”

As summarized in a prior alert, on July 14, 2010, HHS published its notice of proposed rulemaking (“NPRM”) entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (“HITECH”). Further, as summarized in another alert, on August 24, 2009, HHS published its Interim Final Breach Notification Rule (the “Interim Breach Rule”). This Final Rule, to be published in the Federal Register tomorrow, finalizes (i) changes in the NPRM, with some modifications, (ii) changes in the Interim Breach Rule, with some modifications, and (iii) the changes previously proposed to HIPAA under the Genetic Information Nondiscrimination Act (“GINA”).

The Final Rule will be effective on March 26, 2013. Covered entities and business associates must comply with the Final Rule within 180 days, or by September 23, 2013. HHS has provided a longer compliance timeframe for certain other requirements, such as required changes to business associate agreements. All modifications to the Enforcement Rule, which governs the compliance responsibilities of covered entities during the enforcement process, will be effective on March 26, 2013.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:


Ropes & Gray LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.