Final HIPAA Omnibus Rule Released
Yesterday,
the Department of Health and Human Services (HHS) issued a final omnibus rule
that makes extensive modifications to
the privacy, security, and enforcement rules established under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).
The
final rule expands many of the requirements to business associates of entities
that receive protected health information, such as contractors and
subcontractors. Penalties are increased for noncompliance based on the
level of negligence with a maximum penalty of $1.5 million per violation.
The
changes
also strengthen the Health Information Technology for Economic and Clinical
Health (HITECH) Breach Notification requirements by clarifying when breaches of
unsecured health information must be reported to HHS. An interim final version
has been in effect since September 2009. The new version clarifies requirements
for when a breach must be reported to authorities.
The
final rule will be effective March 26. However, covered entities and business
associates have until September 23 to comply with the rule.
APTA will post a summary of the rule in the future.
APTA
offers member information and links to learn about compliance with HIPAA
regulations at www.apta.org/HIPAA/.