The Final Omnibus HIPAA Rule is Finally Here
Late last night, the U.S. Department of Health and Human Services announced its much anticipated final rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The omnibus rule finalizes four previous proposed and interim rulings, including the Enforcement Rule, the Breach Notification Rule, and regulations required under Health Information Technology for Economic and Clinical Health Act (HITECH Act).
This final rule retains many of the individual rights announced in the July 14, 2010 proposed rules. Specifically, the final rule:
- allows patients to ask for a copy of their electronic medical record in an electronic form;
- allows patients to restrict their provider from sharing information about their treatment to health plans when they pay in cash;
- sets new limits on how information is used and disclosed for marketing and fundraising purposes; and
- prohibits the sale of an individual's health information without their permission.
One of the most significant revisions pertains to the Department's revised definition of a "breach" which replaces the Breach Notification Interim Rule's "harm" threshold with a more objective standard. Additionally, the final rule expands many of the privacy and security requirements for business associates that receive protected health information, as required under the HITECH Act.
The Final Rule will be published in the Federal Register on January 25, 2013.