HIPAA Omnibus Rule:

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued a final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification and Enforcement Rules.  These modifications integrate statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act to:

• Strengthen the privacy and security protection for individuals' health information;
• Modify the rule for breach notification under the HITECH Act to address public comment received on the interim final rule;
• Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by incorporating the Genetic Information  Nondiscrimination Act (GINA); and
• Improve workability and effectiveness of the HIPAA rules in order to increase their flexibility for and decrease their burden on the regulated entities

The final rules are available on the Federal Register website for public review and are effective starting March 26, 2013. The rules require compliance by covered entities and business associates by September 23, 2013, allowing for a six month compliance period.

Summary of key changes related to security

While the changes to the original HIPAA rules are extensive in some areas, most of the requirements related to security are not new or unexpected; rather they implement provisions from the HITECH Act and finalize those of the interim final rule. The following is a high-level summary of some of the changes most relevant to an organization's information security program:

• Security Rule - The rule is now clear on the requirement to review and modify security measures on a recurring basis to ensure security measures continue to be "reasonable and appropriate" and provide "adequate" protection of protected health information (PHI), which subsequently places increased emphasis on the robustness of an organization's information security risk management program.  Other changes include the requirement for a business associate rather than the covered entity to obtain assurances from subcontractors, and organization's may "segment" their organization by designating one or more business units as a "health care component."  However, disclosures outside of the component are treated as a disclosure outside the covered entity.
• Breach notification - This is a component of the HITECH Act with which covered entities and business associates should already be in compliance. However, the final rule modifies these interim provisions by replacing the risk of significant harm standard with the requirement to demonstrate via a risk assessment that there is a low probability the PHI has been compromised. The omnibus rule also eliminates the notification exception for limited data sets and requires organizations to include uses or disclosures that violate the "minimum necessary" principle, thereby increasing the need for to de-identification when such data is used. Elements that must be reviewed as part of a valid risk assessment include:Business associate compliance - A largely unchanged provision from the HITECH Act is the direct extension of HIPAA compliance to business associates and subcontractors, who are also now considered business associates. In its final form, business associates are required to comply with the privacy provisions incorporated into standard business associate agreements as well as the full HIPAA Security Rule. HHS has also clarified that the lack of a formal agreement or contract does not preclude compliance by business associates and also makes them responsible for ensuring they have business associate agreements with the covered entities they support.

• The nature and extent of PHI involved;
• To whom the disclosure was made;
• Whether the PHI was actually viewed; and
• The extent to which the risk to the PHI has been mitigated.