On Thursday, HHS released a final omnibus rule that includes four final rules that expand and update HIPAA provisions, Government Health IT reports (Sullivan, Government Health IT, 1/17).
The rules -- called for under the 2009 federal economic stimulus package's HITECH Act and the Genetic Information Nondiscrimination Act -- implement tougher privacy and security provisions. The rules:
- Clarify when breaches must be reported to HHS' Office for Civil Rights;
- Establish new standards for the use of patient-identifiable information for fundraising and marketing;
- Expand liability to "business associates" of hospitals and other "HIPAA-covered entities," such as data miners and health IT service providers (Conn, Modern Healthcare, 1/17); and
- Raise the maximum penalty for noncompliance to $1.5 million per violation (Bowman, FierceHealthIT, 1/17).
According to HHS, the rules stemmed in part from an executive order that directed HHS to conduct a retrospective review of existing regulations to determine ways to reduce costs and increase flexibility under HIPAA (Government Health IT, 1/17).
HHS Secretary Kathleen Sebelius said the rules "will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
The long-awaited rules were accepted by the Office of Management and Budget in March 2012 and were expected to be published last summer (FierceHealthIT, 1/17).