New HIPAA Rules Issued: Disclosures and Revised Notices of Privacy Practices

The following information was submitted by Elizabeth Hogue, Esq:

The U.S. Department of Health and Human Services (HHS) has issued final rules to:

  • Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
  • Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
  • Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
  • Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.

The final rules were published in the Federal Register on January 25,2013, and will be effective on March 26, 2013.  Covered entities and business associates must comply with the final rules by September 23, 2013.  This is the third in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance. Continue reading “New HIPAA Rules Issued: Disclosures and Revised Notices of Privacy Practices”

HIPAA Final Rule Brings Changes to Health Care Industry

On January 17, 2013 the U.S. Department of Health and Human Services (HHS) announced the release of the HIPAA final omnibus rule, which was years in the making. It modifies the HIPAA privacy, security and enforcement rules and breach notification. The regulation is effective March 26, 2013 with a compliance date of September 23, 2013, for both covered entities and business associates.

Features of the regulation:

  • Expands an individual’s right to receive electronic copies of his or her PHI
  • Restricts disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Requires covered entities to modify certain elements of their notice of privacy practices and redistribute those revised forms.
  • Holds business associates liable for certain HIPAA requirements.
  • Clarifies requirements for when a breach must be reported to authorities.
  • Adopts increased and tiered civil monetary penalties of up to $1.5 million per violation
  • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes
  • Prohibits the sale of protected health information without individual authorization.
  • Prohibits most health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act.

Stay tuned-the HCA is working on an educational program for our members on these HIPAA changes.

Return to

HIPAA Breaches Must be Reported to Secretary of HHS by March 1, 2013

Breaches involving less than 500 individuals

For breaches of unsecured protected health information involving less than 500 individuals, a home health agency must maintain a log or other documentation of these breaches. The agency must also provide notification of breaches to the Secretary of HHS by March 1, 2013. (no later than 60 days after the end of the calendar year)

This notice must be submitted electronically (Instructions for Submitting Notice)  and all information must be completed on the Breach Notification Form. A separate form must be completed for every breach that has occurred during the calendar year.

For specifics of the federal regulation see Notification in the Case of Breach of Unsecured Protected Health Information

Return to

%d bloggers like this: