Main Menu
HHS Releases Final Rule Updating HIPAA Privacy, Security, Breach Notification and Enforcement Rules

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) issued a long awaited final rule updating the existing Health Insurance Portability and Accountability Act (“HIPAA”) regulations to enhance the protection of patients’ privacy rights and increase the enforcement of privacy and security protections. The final rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement Rules based on mandates contained in the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act.

Notably, the final rule requires business associates, entities that receive protected health information (“PHI”) on behalf of covered entities, to comply with certain provisions of the HIPAA Privacy and Security Rules.  Formerly, compliance under HIPAA was directly required only of covered entities, such as health care providers and health plans, and only contractually required of business associates. The final rule clarifies that business associates are directly liable for compliance with HIPAA.  In addition, the final rule changes the HIPAA Enforcement Rule to implement an increased and tiered civil monetary penalty structure.

The final rule provides clarification regarding breach notification requirements.  An objective standard is set forth to determine when a breach of unsecured PHI must be reported to HHS. 

The final rule modifies the requirements for individual authorizations of the use or disclosure of PHI.  These modifications facilitate the disclosure of PHI for research purposes and simplify the process for sharing proof of child immunizations with schools.

The final rule also contains several other provisions that strengthen and expand the protection of individual rights. These provisions include the following:

• Additional limitations are placed on the use and disclosure of PHI for marketing and fundraising purposes; 
• Individual authorizations are required to sell PHI;
• Individuals are entitled to an electronic copy of their medical records;
• A patient that pays in cash can prevent the health care provider from disclosing treatment information to the patient’s health plan;
• Health plans are prohibited from disclosing genetic information for underwriting purposes; and
• Covered entities must modify and redistribute their notice of privacy practices.

The final rule is scheduled to be published in the Federal Register on January 25, 2013 and will become effective on March 26, 2013.  Covered entities and business associates are required to comply with the final rule by September 23, 2013.  



Recent Posts




Back to Page