HIPAA Final Omnibus Rule 2013
All the resources you need, in one place.
- September 23rd HIPAA Compliance: Be a Compliance Champion - Get in the Game
- Covered Entity Playbook: HIPAA Final Omnibus Rule Playbook - Your Ticket to Winning the Compliance Game
- Business Associate Playbook: HIPAA Final Omnibus Rule Playbook - Your Ticket to Winning the Compliance Game
- Whitepaper: An Analysis of the Changes Impacting Healthcare Covered Entities and Business Associates
- Webinar: HIPAA Final Rules What you need to know and do
- Slides: HIPAA Final Rules What you need to know and do
A Regulatory Overview
With the passage of HIPAA in 1996, and with the addition of the HITECH act in 2009, the two laws have had an epic journey of proposals, changes, comments and delays. A new passage in the HIPAA-HITECH story was written when the HIPAA-HITECH Omnibus Final Rule (Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules) was published to the Federal Register on January 25th 2013. The Omnibus Rule, that covers 4 previously proposed and interim final rules, was received by the OCR to the Office of Management and Budget (OMB) on March 24th 2012 for review before being published. It was only expected to take 90 days. It came out almost one year later.
The Rule goes by many names, Final Rule, Omnibus Rule, HIPAA Omnibus rule, but its extended name is: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.
A Brief History of HIPAA and the Changes Through the Years
To help protect against the breach of personal medical information, the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, set standards for medical privacy that went into effect over the next 10 years. The American Recovery and Reinvestment Act (ARRA), signed by President Obama in February 2009, put into law new privacy requirements that experts at the time called “the biggest change to the healthcare privacy and security environment since the original HIPAA privacy rule.” Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, sought to streamline healthcare and reduce costs through the use of health information technology. The HITECH Act dedicated over $31 billion in stimulus funds for healthcare infrastructure and the adoption of electronic health records (EHR), including funding for the meaningful use incentive programs. To ensure that privacy and data security went hand in hand with the digitization of health records, healthcare organizations had to comply with the HIPAA Privacy and Security Rules by establishing a risk management process and conducting annual risk assessments. The HITECH Act also imposed new requirements, including:
- Specific thresholds, response timeline, and methods for breach victim notification.
- A new definition of business associates and extension of the HIPAA privacy and security requirements to include business associates.
- Expansion of contractual obligation for security and privacy of PHI to subcontractors of business associates.
- Tiered increase in penalties for violations of these rules, some of them mandatory, with potential fines ranging from $25,000 to as much as $1.5 million, effective immediately.
- Provisions for more aggressive enforcement by the federal government.
- Explicit authority for state Attorneys General to enforce HIPAA Rules and to pursue HIPAA criminal and civil cases against HIPAA covered entities (CEs), employees of CEs, or their business associates.
- Requirement for the Department of Health and Human Services (HHS) to conduct mandatory audits.
The HITECH Act allowed only one year for most provisions to be enforced. On September 23, 2009, the Department of Health and Human Services issued guidelines on the HITECH Act, known as the Interim Final Rule for Breach Notification. This rule, among other things, included a controversial “harm threshold” that gave CEs the responsibility for determining whether notification is required after discovery of a breach of PHI. The HHS submitted a final rule for review to the Office of Budget and Management, only to withdraw it in July 2010. Now, more than two and a half years later, the HIPAA Final Omnibus Rule is finally here.
The HIPAA Omnibus Rule affective date is March 26, 2013
The compliance deadline is September 23, 2013.