The Department of Health and Human Services (HHS) Office for Civil Rights has released a final rule implementing a wide range of changes to the Health Information Portability and Accountability Act’s (HIPAA) privacy, security, enforcement and breach notification rules. The long-awaited "omnibus" final rule is based on statutory changes mandated by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008. The rule provides patients with increased protection and control of their protected health information, expands the HIPAA privacy and security requirements to business associates and increases enforcement authority and penalties.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” HHS Secretary Kathleen Sebelius said in a news release coordinated with the posting of the 563-page rule in the Federal Register. “The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

The rule expands individuals' rights to receive electronic copies of their medical records and provides patients the right to instruct health care providers to restrict disclosure of information to health plans in certain circumstances for treatment that is paid for out-of-pocket and in full. It also sets new limits on the use of patient information for marketing and fundraising purposes and prohibits the sale of health information without their permission.

Additionally, the final omnibus rule clarifies when breaches of unsecured health information must be reported to HHS, makes business associates directly liable under HIPAA and increases penalties for noncompliance to a maximum penalty of $1.5 million per violation.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said Leon Rodriguez, director of the Office for Civil Rights at HHS.

To comply with the new rule, physician offices will need to make significant changes to their Notice of Privacy Practices, business associate agreements, as well as their privacy and security policies. The California Medical Association (CMA) will be developing and updating resources including model agreements and policies in the coming months to help physicians comply with the new rule.

Official publication of the new rule in the Federal Register is scheduled for Jan. 25. The final HIPAA omnibus rule is effective March 26, 2013. Covered entities, including most physicians, and business associates must comply with applicable requirements by September 23, 2013.

The new omnibus rule will also be covered in CMA's February 6 webinar, "HIPAA Compliance: The Final HITECH Rule." The one-hour webinar is free to CMA members. For more information, or to register, visit www.cmadocs.org/events.

Contact: Lisa Matsubara, (800) 786-4262 or lmatsubara@cmadocs.org.