The Omnibus Final Rule (Final Rule) entitled “Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act” became effective on March 26, 2013.
Here are some of the modifications requiring compliance by the various stakeholders by September 23, 2013:
- The Privacy and Security Rules impact transactions involving PHI for a broader definition of Business Associate which now includes a subcontractor of a Business Associate.
- The Privacy and Security Rules impact a Business Associate and its subcontractors which now have increased accountability to a Covered Entity under its business associate agreements (BAAs) with the Covered Entity.
- The Privacy Rule providing for compound authorizations, authorization for the use of PHI in future research and the use of deceased person’s PHI in clinical research impact a Covered Entity, its researchers and institutional review boards.
- The Breach Notification Rule now requires notification of affected individuals for an impermissible acquisition, access, use of disclosure of PHI with the ultimate responsibility falling on the Covered Entity.
These modified HIPAA Rules are subject to enforcement by the Office of Civil Rights (OCR):
- The Enforcement Rule provides that OCR will now investigate all complaints relating to the HIPAA Rules.
- The Enforcement Rule provides that OCR can now proceed directly to impose civil monetary penalties (CMPs).
The impact of compliance with the modified HIPAA Rules and enforcement by OCR remain to be tested and future regulatory developments may come into play.
View the full article on these changes here.
Lina Genovesi, PhD, JD www.linagenovesi.com