Today, the Department of Health and Human Services released an omnibus rule making changes to the Health Insurance Portability and Accountability Act (“HIPAA”) regulations related to privacy and security. The new final rule expands requirements beyond covered entities (health care providers, health plans, and entities that process health insurance claims) to business associates of covered entities in order to provide additional protections. These changes represent some of the most significant changes to the rule since it was first implemented fifteen years ago.
This mega rule also seeks to finalize privacy and security regulations related to the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) as well as implement certain provisions of the Genetic Information Nondiscrimination Act of 2008 (“GINA”).
The final rule is effective on March 26, 2013; covered entities and business associates must comply with the rules by September 23, 2013. Drinker Biddle & Reath is in the process of reviewing the 563-page final rule and will be releasing alerts and updates over the next few days. A copy of the rule can be found here.