01.18.2013 The Waiting Game Is Over: HHS Issues Final Modifications to the HIPAA Rules



On January 17, 2013, the Department of Health and Human Services (“HHS”) issued its long expected final omnibus rule, which makes substantial modifications to the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy, Security, Enforcement and Breach Notification Rule as mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).  The final rule will be officially published in the Federal Register on January 25, 2013.  The final rule will become effective on March 26, 2013, but, importantly, covered entities and business associates have until September 26, 2013 to comply with any applicable provisions of the new rules.


Specifically, the final rule’s major provisions include:

  • Incorporating the HITECH Act’s required modifications to the HIPAA Privacy, Security and Enforcement Rules, such as, but not limited to: imposing direct liability on business associates for HIPAA violations; strengthening limitations on the use and disclosure of protected health information for marketing and fundraising activities; and requiring covered entities to modify and redistribute their notice of privacy practices;
  • Adopting an increased and tiered civil money penalty structure for HIPAA violations as required under the HITECH Act;
  • Finalizing the Breach Notification for Unsecured Protected Health Information rule, which replaces the rule’s “harm” threshold with a more objective standard; and
  • Modifying the HIPAA Privacy Rule to conform with the requirements of GINA by prohibiting most health plans from using or disclosing genetic information for underwriting purposes.

Commenting on the final rule, Leon Rodriguez, the Director of HHS’ Office for Civil Rights, stated that “[t]his final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented” and that his office will “vigorously enforce” violations of HIPAA’s Privacy and Security Rules.  Despite HHS’ recognition of the fact that the final rule’s changes are “sweeping”, the rule states that the HIPAA modifications are intended to “improve [the Privacy, Security, Breach Notification and Enforcement Rules’] workability and effectiveness and to increase flexibility for and decrease the burden on the regulated entities.”  Only time will tell whether the final rule will lead to such a result.


The new rule is lengthy and complex.  In an effort to assist our clients’ efforts to digest the new rule’s language and understand how the rule could affect their (i) obligations to their patients or customers and (ii) businesses, Williams Mullen will be publishing a series of alerts explaining the new rule’s key provisions over the coming weeks.  In the meantime, please contact any member of the Health Care Team with any questions you may have.