On Friday, January 25, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services ("HHS") published a final rule modifying the HIPAA Privacy, Security, and Enforcement Rules (the "Final Rule") as mandated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act. Many of these modifications were set forth in a Notice of Proposed Rulemaking ("NPRM") dated July 14, 2010, although the Final Rule does not adopt all the proposals as described in the NPRM.
The Final Rule also modifies the Breach Notification Rule, which has been effective as an interim final rule since September 23, 2009. Finally, the Final Rule strengthens privacy protections for certain genetic information under the Genetic Information Nondiscrimination Act ("GINA").
The Final Rule makes significant changes to HIPAA and the potential penalties for violating HIPAA. The Final Rule also expands the scope of HIPAA, meaning that some businesses that were not subject to HIPAA before the Final Rule now have HIPAA compliance obligations and can be subject to enforcement action for noncompliance. Healthcare providers and others in the healthcare industry should be aware of these changes and how they will apply to their particular business.
The Final Rule is effective on March 26, 2013, and Covered Entities and Business Associates must comply with the Final Rule by September 23, 2013.
Click each subheading below for a detailed summary of some of the key provisions of the Final Rule:
For a printer friendly link to this alert, please click here
Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.
IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice within this client alert is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in a client alert.