Blue Cross and Blue Shield of Illinois


 

February 1, 2013

Legislative Update: HHS Releases HIPAA / HITECH Omnibus Final Rule

On Jan. 17, 2013, the U.S. Department of Health & Human Services (HHS) released its 563-page final rule on the Health Insurance Portability and Accountability Act (HIPAA). The final rule is based on statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule modifies HIPAA Privacy, Security, Breach Notification and Enforcement Rules and implements protections under the Genetic Information Nondiscrimination Act of 2008

The changes in the final rule include, but are not limited, to the following:

  • Makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules requirements.
  • Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of protected health information without individual authorization.
  • Expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Requires modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  • Prohibits most health plans from using or disclosing genetic information for underwriting purposes.
  • Adopts changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure.
  • Replaces the “significant risk of harm” standard for determining breach notification with a “low probability” standard. A risk assessment is still allowed.

The rule was scheduled to be published in the Federal Register on Jan. 25, 2013, and is effective on March 26, 2013. Covered entities and business associates are provided a 180-day compliance period and must comply by Sept. 23, 2013.

 
.

A Division of Health Care Service Corporation, a Mutual Legal Reserve Company,
an Independent Licensee of the Blue Cross and Blue Shield Association.