Top Button
HHS Issues HIPAA Final Omnibus Rule HHS Issues HIPAA Final Omnibus Rule

HHS Issues HIPAA Final Omnibus Rule

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the long-awaited HIPAA Final Omnibus Rule (HIPAA Final Rule). The HIPAA Final Rule is comprised of the following four final rules:

  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010;
  • Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009;
  • Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's harm threshold and supplants an interim final rule published on Aug. 24, 2009;
  • Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA), which was published as a proposed rule on Oct. 7, 2009.
Some of the key changes in the HIPAA Final Rule include:
  • Making business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements and expanding the obligations to subcontractors of business associates;
  • Strengthening the limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
  • Prohibiting the sale of protected health information without individual authorization;
  • Expanding individuals' rights to receive electronic copies of their health information and restricting disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • Requiring modifications to, and redistributions of, a covered entity's notice of privacy practices;
  • Modifying the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others;
  • Adopting the HITECH Act enhancements to the Enforcement Rule, including the provision addressing enforcement of noncompliance due to willful neglect;
  • Changing the definition of "breach" to include language clarifying that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised;
  • In the breach notification rule, removing the harm standard and modifying the risk assessment to focus more objectively on the risk that the protected health information has been compromised; and
  • Applying the prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies.
The HIPAA Final Rule is scheduled to be published in the Federal Register on Jan. 25, 2013.  A copy of the HIPAA Final Rule is available for public inspection here. A more detailed analysis analyzing the impact of the HIPAA Final Rule will be issued by Ice Miller shortly. In the meantime, please contact Chris Sears at or (317) 36-5891, Kim Metzger at or (317) 236-2296, Taryn Stone at or (317) 236-5872 or Margaret Emmert at or (317) 236-2169 for further information or if you have any questions regarding these issues.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.


View Full Site View Mobile Optimized