HHS' Office for Civil Rights has sent the final HIPAA Omnibus Rule to the Office of Management and Budget for review, one of the last steps required before the rule can be published in the Federal Register, CMIO reports (Walsh, CMIO, 3/26).
OMB has a 90-day period to review the rule.
Combination of Four Rulemakings
Susan McAndrew -- deputy director for health information privacy at OCR -- said the omnibus rule combines four separate rulemakings, which are:
- The changes to HIPAA privacy and security rules required under the HITECH Act;
- New data breach enforcement and penalty requirements;
- Final regulations related to the HITECH Act's breach notification rule; and
- Changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (Hirsch, FierceHealthIT, 3/27).
Additional Rule Details
The rule could include provisions that would:
- Regulate the use of patient information in marketing;
- Prohibit the sale of patient data unless prior authorization is received (Conn, Modern Healthcare, 3/28);
- Eliminate or amend the "harm threshold" provision that currently allows covered entities to refrain from reporting data breaches that are deemed not harmful;
- Establish that business associates and subcontractors -- like covered entities -- are liable for data breaches; and
- Require some form of data encryption for electronic systems that contain patient data (Goedert, Health Data Management, 3/26).