HITECH Final Rule
The much-anticipated HITECH final rule from the Office for Civil Rights was published in the Federal Register on January 25, 2013. The final rule amended a number of HIPAA’s existing privacy and security requirements, including:
- Making business associates directly liable for compliance with certain Privacy and Security Rule requirements;
- Implementing a number of HITECH’s additional privacy protections and rights for individuals, such as additional limitations on the use of PHI for marketing and fundraising, prohibiting the sale of PHI without individual authorization, expanding the right to an electronic copy of health information, and restricting disclosures to a health plan for treatment which the individual paid in full out of pocket;
- Requiring health care providers to revise and redistribute their Notices of Privacy Practices; and
- Modifying the standard for determining whether breach notifications must be provided to affected individuals.
The final rule made other changes and clarifications, and the OCR has promised future guidance in addition to the regulations themselves and the preamble to the final rule.
As a result of the final rule, health care providers will need to evaluate their current privacy and security policies and procedures for compliance with the new requirements and assess their arrangements with business associates. The rule is effective on March 26, 2013, but health care providers generally have 180 days from that date to comply with the modifications to HIPAA’s existing standards and implementation specifications. (There is a longer transition period for existing business associate agreements). We have reviewed the final rule closely and are monitoring further guidance from the OCR.