What Employers Need to Know About New 563-Page Health Privacy Rule

As discussed in our last webinar, in late January the U.S. Department of Health and Human Services (HHS) issued its much-anticipated 563-page final omnibus rule regulating protected health information.

As promised, here’s a guide to what employers really need to know.

What’s it all about?

According to an HHS press release:

(The rule) marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of [HHS] to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The rule is aimed primarily at health care providers. If that’s your business, you’ll most definitely want to check out the resources listed below and maybe even read all 563 pages of the rule.

What are the main areas addressed?

Privacy/Security:
- Activities that make an entity a business associate, including merely storing or maintaining PHI (protected health information);
- Direct liability of business associates and their subcontractors for compliance failures;
- Required modifications to privacy notices;
- Expanded rights of individuals to get electronic copies of their PHI;
- Expanded limits on the sale or use of PHI, including for marketing/fundraising purposes.
Breach notification: The rule recognizes that not all HIPAA violationsrequire breach notification. There are four (4) main factors to consider:
- The nature and extent of the information released;
- Who received and the information;
- Whether the information was actually seen by anyone;
- The extent to which the risk was mitigated.
Enforcement: Penalties for non-compliance have increased to a maximum of $1.5 million per violation and vary based on the level of negligence.
Genetic information: The rule also includes enhanced privacy protections for genetic information, in line with the Genetic Information Nondiscrimination Act (GINA).

When do we have to comply?

The rule takes effect March 26, 2013 and compliance generally will be required by September 23, 2013.

Where can I find out more?

McGuireWoods has an excellent multi-part series here. There are also some solid summaries here and here.

This was originally published on Manpower Group’s Employment Blawg.