The U.S. Department of Health and Human Services yesterday unveiled long awaited changes to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The release is comprised of four final rules combined into a single omnibus rule designed to reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities.  Important provisions include:

  • An expansion of HIPAA’s scope to apply many HIPAA provisions to business associates, and a determination that subcontractors are deemed to be business associates.  This could be interpreted to mean that a healthcare provider’s data miners and health information technology providers are business associates subject to the provisions of HIPAA.
  • Implementation of most of the HITECH modifications to HIPAA.
  • Clarification of when breaches must be reported to HHS’ Office for Civil Rights
  • Establishment of new standards for the use of patient-identifiable information in fundraising and marketing.
  • An increase in the maximum penalty for noncompliance to $1.5 million per violation.

Health care providers and other covered entities should familiarize themselves with this new rule as soon as possible, as the rule provides for more vigorous compliance actions and increased penalties.  Official publication of the rule is scheduled for January 25.  The rule goes into effect March 26, with a compliance date of September 23.