Final HIPAA Privacy Rules Published By Health & Human Services

On January 25, 2013 the Department of Health and Human Services published the 138 page final rule on HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, and other Modifications to the HIPAA Rules.  It makes final modifications to the HIPAA rules.  It makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.  It strengthens the limitation on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization. It expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.  It requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.  It modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. It adopts the additional HITECH Act enhancements not previously adopted in the October 30, 2009 interim final rule. 

The final rule adopts changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act. It replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.  It prohibits most health plans from using or disclosing genetic information for underwriting purposes.

For more information please utilize the following link.

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf