Key Elements of the New "Omnibus" HIPAA Privacy and Security Regulations

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services ("HHS") has finally issued major “omnibus” revisions to HIPAA's privacy and security regulations.

In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
  • Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with Protected Health Information (“PHI”) falls under HIPAA’s privacy and security regulations; and
  • Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a “low probability” that PHI will be compromised.
Also notable is what these regulations did not do: they did not raise the cap on HIPAA civil monetary penalties. It remains at $1.5 million, which is somewhat surprising, in light of the increasing frequency and scope of breaches involving PHI, and the increasingly large penalties the Office of Civil Rights has imposed for HIPAA privacy and security violations.

The final rule is effective on March 26, 2013 and the compliance date is 180 days thereafter (September 22, 2013). Covered entities and business associates will have up to one year after the 180-day compliance date to modify existing contracts in order to comply with these revised rules.

Please click here for a more detailed summary of the significant changes in the regulations.