The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.
We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule. In the meantime, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith), Salvatore G. Rotella, Jr. (215-851-8123 or firstname.lastname@example.org), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.