HHS has finally released its long-anticipated final “omnibus” regulation (here) addressing the 2009 HITECH Act changes and making other updates to the privacy, security, breach notification, and enforcement rules.
Foulston Siefkin’s health care practice has already posted an issue alert (here) providing an overview of the regulation.
Compliance Date. The advance copy of the regulation runs 563 pages, so there is a considerable detail to digest. Luckily, HHS gave us a little time to get our heads around it. The regulation is effective March 26, 2013, and covered entities and business associates are generally required to begin complying with the final rules by September 23, 2013.
Some Key Points. Here are a few key points to understand about the final rules:
1. Business associate agreements may require modification. Business associates are now directly liable for compliance with portions of the HIPAA privacy and security rules. This requirement and other HITECH Act changes will require review and possible modification of business associate agreements to ensure they are in compliance.
2. Notices of privacy practices will require attention. The final rule changes some of the information that is required to be provided in the notice of privacy practices and generally requires re-distribution of an updated notice.
3. The standard for breach notification has changed. Under current rules, a covered entity is required to provide notification of a breach of protected health information (PHI) only if there is a substantial risk of harm from the breach. That “harm” standard has been replaced. There is now a presumption that any impermissible use or disclosure of PHI is a breach, unless the covered entity can show there is a “low probability” that the PHI has been compromised.
More to Come. We will be reviewing the new rules and breaking down the details in the weeks and months to come.