Yesterday, the Office for Civil Rights of the U.S. Department of Health and Human Services released a final rule containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the "Final Rule"). The Final Rule will be published in the Federal Register on January 25, 2013. We are conducting a thorough review of the Final Rule and will provide a comprehensive summary once our review is complete. In the meantime, we thought the following information may be helpful to you. 
  • The Final Rule is effective on March 26, 2013, and Covered Entities and Business Associates must comply with the Final Rule by September 23, 2013.
  • The Breach Notification Rule has been modified. Until now, an impermissible use or disclosure of Protected Health Information ("PHI") was a Breach only if there was a significant risk of harm. Now, an impermissible use or disclosure of PHI is presumed to be a Breach unless the Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI has been compromised.
  • A subcontractor of a Business Associate that creates, receives, maintains, or transmits PHI on behalf of the Business Associate is now itself a Business Associate. As a result, these subcontractors are subject to the HIPAA provisions applicable to Business Associates.
  • A Covered Entity and a Business Associate (and a Business Associate and its subcontractor) may continue to operate under an existing Business Associate Agreement ("BAA") for a certain amount of time if (1) prior to January 25, 2013, the BAA complied with then-current HIPAA rules and (2) the BAA is not renewed or modified from March 26, 2013 until September 23, 2013. If these conditions are met, the parties can operate under the existing BAA until the earlier of (1) the date the BAA is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.
  • The Final Rule takes a different approach to marketing than the proposed rules from 2010. In short, individual authorization is required for all treatment and health care operations communications if the Covered Entity receives financial remuneration from a third party whose product or service is marketed in the communications.

 

Topics:  Business Associates, Covered Entities, Data Breach, Data Protection, HHS, HIPAA, HIPAA Omnibus Rule, Notice Requirements, OCR, PHI

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Womble Carlyle Sandridge & Rice, LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »