OCR Issues Long-Awaited Omnibus HIPAA/HITECH Rules: Significant Changes for Business Associates and Breach Analysis


The wait is finally over. On January 17, 2013, the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), issued the final “omnibus” rule modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (Final Rule). The rulemaking comes nearly two and half years after the release of the proposed rule and implements statutory amendments to the federal health privacy framework enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act of 2008 (GINA). It also addresses comments received regarding the interim final enforcement and breach notification rules, and makes other modifications to enhance the effectiveness of the HIPAA rules, while at the same time seeks to reduce their burden on regulated entities.

The Final Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to come into compliance with the new standards and implementation specifications. As discussed below, OCR has also provided a longer transition period for existing business associate agreements to come into compliance.

The Final Rule includes substantive and non-substantive (technical) changes to the HIPAA Rules. We highlight below the more significant substantive changes.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.