Yesterday, the Department of Health and Human Services (HHS) issued a final omnibus rule that  makes extensive modifications to the privacy, security, and enforcement rules established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

The final rule expands many of the requirements to business associates of entities that receive protected health information, such as contractors and subcontractors. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. An interim final version has been in effect since September 2009. The new version clarifies requirements for when a breach must be reported to authorities.

The final rule will be effective March 26. However, covered entities and business associates have until September 23 to comply with the rule.

APTA will post a summary of the rule in the future.

APTA offers member information and links to learn about compliance with HIPAA regulations at www.apta.org/HIPAA/.