By John H. Fisher II and Mary Ellen Schill
January 24, 2013
A final rule containing a wide range of changes to the privacy and security provisions of HIPAA was released last Thursday (January 17, 2013) by the Department of Health and Human Services Office for Civil Rights (OCR). The final regulations include a variety of implementing provisions for three primary rules that were required by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). In addition to changes required under the HITECH Act, the final regulations address guidance made necessary by the Genetic Information Nondiscrimination Act which clarifies that certain genetic information is protected under HIPAA. The final rule combines finalization of several previously released proposed regulations under one “omnibus” final regulation. Most, but not all, of the changes will come into effect 180 days after the March 26, 2013 effective date.
The changes are characterized as being “sweeping” by some sources, but for those who have been following the proposed regulations and regulatory process, there are very few big surprises. Briefly, some of the items covered by the final regulations include:
Expanding the government’s enforcement capabilities and penalties with respect to violations of HIPAA and HITECH;
Provisions clarifying that Patient Safety Organizations (PSOs) must be treated as business associates. These organizations provide analysis of patient safety issues based on reports that are received from health care providers.
Certain changes to the “breach notification rule” which in many cases simply provides clarification of some of the open issues that were present under existing law.
Additional limitations on use of PHI for marketing and fundraising.
Prohibition on the sale of PHI without specific individual authorization from the patient.
Expansion of an individual’s right to receive electronic copies of their PHI which has the effect of making access much less costly to the patient.
Expansion of an individual’s ability to restrict disclosures of their PHI to health plans in some circumstances.
Ruder Ware’s Health Care Industry Focus Group is in the process of dissecting the specifics of the final regulations and will be releasing more updates on some of the specific provisions of the rule that will have an effect on our health care clients. Please look for additional Ruder Ware legal updates and feel free to access more frequent updates on our health law blog;http://www.healthlaw-blog.com/.
If you have questions regarding the above, please contact John Fisher or Mary Ellen Schill, the authors of this article, or any of the attorneys on the Health Care Focus Team of Ruder Ware.
This document provides information of a general nature regarding legislative or other legal developments, and is based on the state of the law at the time of the original publication of this article. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed. You should not act upon the information in this document without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.