Last Thursday, HHS published its Final Rule, conclusively settling the conversation about its numerous interim and proposed rules developed in light of the American Recovery and Reinvestment Act of 2009. Our inbox received a
surge of alarming announcements by analysts and vendors telling us how the new rules would impact our way of doing business. We propose a more measured, analytical approach to the implementation of the changes imposed by the Final Rule. The Final Rule becomes effective on March 26, 2013. Those covered by the Rule will have until September 21, 2013 to comply.
Final Omnibus Rule Comprised of Final Versions of Four Proposed or Interim Final Rules
The four rules that combine to create the omnibus final rule include:
- Modifications to the HIPAA Privacy and Security Rules required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
- A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
While we believe the size of the Omnibus Rule and the time allotted to allow to plan for compliance in September provides the opportunity to have an educated response we also strongly believe that the signs exist that enforcement actions will become more aggressive and more encompassing.
Expanding Patient’s Privacy Rights and Protections while Strengthening Enforcement
In the press release accompanying publication of the Final Rule, HHS Office of Civil Rights Director Leon Rodriquez stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
These comments are in the shadow of HHS issuing its first-ever HIPAA fine to small non-profit organization for a portable device data breach for a loss of 441 records. The action is the first for a breach of protected health information for fewer than 500 individuals under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The not-for-profit Hospice of North Idaho reported to the HHS Office for Civil Rights that an unencrypted laptop with patient information was stolen in June 2010.