Update on the HIPAA Privacy and Security Final Rule
On January 17, 2013, the U.S. Department of Health & Human Services released the long-awaited final rule detailing new privacy and security requirements for HIPAA. New clarifications are now available on issues such as breach notification requirements, the extension of liability to business associates, and more.
In January, 2013, the U.S. Department of Health & Human Services published its final rule on privacy and security requirements for HIPAA. The new requirements provide the public with increased protection and control of protected health information (PHI) by expanding the responsibilities of providers, health plans, and other entities that handle and process health information and insurance claims.
Of note, the rule extends HIPAA responsibilities to business associates including contractors and subcontractors, and imposes civil monetary penalties for noncompliance. Other rules detail restrictions on the use of PHI for marketing, the sale of PHI, patient requests for PHI, patient requests for restrictions on disclosures, and more.
The new final rule goes into effect on March 26, 2013. In order to allow for adjustments, HHS has set the compliance date for most of the new requirements 180 days after this date, which is September 23, 2013. Now that the final details have been set and enforcement will be tightened, we recommend that organizations check their practices and procedures for compliance with the rules, and address any remaining gaps. In general, we also recommend that organizations make HIPAA compliance part of a larger, more integrated, enterprise-level effort to manage security.
Download "Update on the HIPAA Privacy and Security Final Rule" (PDF, 437KB)
For more information, please contact us.
