On January 17, The Department of Health and Human Services (HSS) filed a long-awaited final rule interpreting the provisions of HIPAA. The rule makes final, supplementary changes to Health Information Technology for Economic and Clinical Health (HITECH) Act regulations, the HIPAA Enforcement Rule, the Breach Notification for Unsecured Protected Health Information under the HITECH Act and the HIPAA Privacy Rule as mandated by the GINA (Genetic Information Nondiscrimination Act). The rule will be effected March 26, 2013, with enforcement beginning September 23, 2013.

The 563-page rule changes various aspects of health privacy laws and is said by HHS Secretary Kathleen Sebelius to “help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.” However, the scope of privacy and security rules will expand to business associates, leaving unprepared health care contractors and subcontractors at risk of liability.

Notable changes include:

  • The HIPAA Privacy Rule has been extended to business associates receiving protected health information, such as contractors and subcontractors.
  • Business associates are liable for increased penalties for noncompliance, based on the intensity of negligence, of up to $1.5 million.
  • Business associates must disclose protected health information (PHI) upon request of the Secretary to investigate or determine compliance.
  • HITECH Breach Notification requirements have been strengthened, requiring increased reporting of unsecured health information to HHS.   
  • Patients may ask for a copy of their electronic medical records.
  • Individuals paying for medical service by cash may ask that treatment information not be disclosed to their health plan.
  • Health information may not be sold without the individual’s permission.
  • Finally, based on statutory changes under HITECH and GINA, genetic information is protected under the HIPAA privacy rule; health plans may not use or disclose this information for underwriting purposes.

The complete rule can be found in the Federal Register. You or your business may need to take steps to ensure HIPAA compliance under the new rule, including rewriting or updating your privacy policy.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cox Smith | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.