By Anna Kraus

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008 (GINA).

The omnibus rule is comprised of the following four rules:

  1. Final modifications to the HIPAA regulations mandated by the HITECH Act, and certain other modifications to improve the HIPAA rules;
  2. Final rule adopting changes to the HIPAA Enforcement Rule;
  3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which, according to HHS, replaces the current rule’s “risk of harm” threshold with a more objective standard; and
  4. Final rule modifying the HIPAA Privacy Rule as required by GINA.

This post is the first in a series that we will publish about key aspects of the final rule, including modifications to the HIPAA requirements for research, marketing, breach notification, business associates, and other issues.  Stay tuned for more details…