HHS Releases HIPAA/HITECH Omnibus Final Rule

by Morgan Lewis

Rule finalizes many provisions of the proposed rule, imposing new privacy and security obligations directly on business associates and modifying the definition of "breach" and the required factors to be considered in a risk assessment.

On January 17, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released its much-anticipated and long-awaited omnibus final rule (Final Rule)[1] modifying certain aspects of the Privacy Rule, the Security Rule, and the Enforcement Rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification for Unsecured Protected Health Information Rule (Breach Notification Rule) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule represents the most significant development in healthcare privacy law since the issuance of the final Privacy Rule and Security Rule a decade ago.

The Final Rule comes approximately two and a half years after HHS published its notice of proposed rulemaking (Proposed Rule) to implement provisions of the HITECH Act. The Final Rule takes effect on March 26, 2013, and covered entities and business associates are required to comply with the applicable requirements of the Final Rule by September 23, 2013. The Final Rule comprises modifications to the four individual rules described below.

HIPAA Privacy, Security, and Enforcement Rules

The Final Rule finalizes modifications to the HIPAA Privacy, Security, and Enforcement Rules, including, but not limited to, those mandated by the HITECH Act. For the most part, the Final Rule adopts the provisions of the Proposed Rule, with a host of clarifications but relatively few significant modifications. The Final Rule's notable provisions include the following:

  • Business Associates: The Final Rule makes some of the obligations of the HIPAA Privacy and Security Rules directly applicable to business associates. It also includes "subcontractors" in the definition for "business associates," requiring business associates to enter into written contracts with subcontractors that are substantially similar to business associate agreements. Significantly, business associates and subcontractors will be required to come into full compliance with the Security Rule by the September 23 compliance date.
  • Marketing: The Final Rule modifies the Proposed Rule's approach to marketing, requiring authorization for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. HHS notes the difficulty in distinguishing between "treatment" and "health care operations" communications, as the Proposed Rule required, and therefore HHS will treat as marketing communications "all subsidized communications that market a health-related product or service." HHS clarifies that the term "financial remuneration" does not include nonfinancial benefits, but rather it only includes those payments made in exchange for making communications about a product or service.
  • Sale of Protected Health Information: The Final Rule generally prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of protected health information (PHI), unless the covered entity or business associate has obtained an authorization from the individual.
  • Access to Protected Health Information: The Final Rule expands an individual's right to receive electronic copies of his or her PHI.
  • Restrictions on Certain Disclosures to Health Plans: The Final Rule restricts disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Notice of Privacy Practices: The Final Rule requires covered entities to modify certain elements of their notice of privacy practices and redistribute those revised forms.

Civil Money Penalty Structure

The Final Rule adopts the HITECH Act's tiered system of increasing penalty amounts for violations based on increasing levels of culpability associated with each tier.

Breach Notification Rule

The Final Rule modifies the definition of "breach" and the risk assessment approach set forth in the Breach Notification Interim Final Rule issued by HHS on August 24, 2009 (Interim Final Rule). Under the new definition of "breach," an impermissible use or disclosure of PHI is "presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." This standard replaces the "significant risk of harm" standard set forth in the Interim Final Rule. HHS notes that the prior focus on "harm to an individual" was too subjective, risking inconsistent interpretations and results across covered entities and business associates. As stated above, HHS is instead requiring covered entities and business associates to demonstrate, through a risk assessment, that there is a "low probability" of the PHI having been "compromised."

The Final Rule also modifies the factors that covered entities and business associates must consider when performing a risk assessment with respect to a potential breach. HHS suggests that covered entities and business associates examine their policies to ensure that all required factors are considered when conducting a breach risk assessment.


The Final Rule modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.


Business associates should prepare for compliance with new HIPAA obligations on September 23, including implementation of a Security Rule compliance program. Covered entities should also begin conforming their HIPAA compliance programs to reflect the new requirements of the Final Rule, including updating and redistributing notices of privacy practices and amending business associate agreements.

[1]. View the January 17, 2013, HHS press release here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.