HHS Finalizes Comprehensive Modifications to HIPAA Regulations in Omnibus Final Rule


On Thursday, January 17, 2013, the Department of Health and Human Services Office for Civil Rights (“HHS”) released in pre-publication form the rule commonly known as the “HIPAA Omnibus Rule,” which we refer to below as the “Final Rule.”

As summarized in a prior alert, on July 14, 2010, HHS published its notice of proposed rulemaking (“NPRM”) entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (“HITECH”). Further, as summarized in another alert, on August 24, 2009, HHS published its Interim Final Breach Notification Rule (the “Interim Breach Rule”). This Final Rule, to be published in the Federal Register tomorrow, finalizes (i) changes in the NPRM, with some modifications, (ii) changes in the Interim Breach Rule, with some modifications, and (iii) the changes previously proposed to HIPAA under the Genetic Information Nondiscrimination Act (“GINA”).

The Final Rule will be effective on March 26, 2013. Covered entities and business associates must comply with the Final Rule within 180 days, or by September 23, 2013. HHS has provided a longer compliance timeframe for certain other requirements, such as required changes to business associate agreements. All modifications to the Enforcement Rule, which governs the compliance responsibilities of covered entities during the enforcement process, will be effective on March 26, 2013.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.