HHS Releases Final Omnibus Rule on Health Information Privacy and Security

The U.S. Department of Health and Human Services (HHS) has released the long-awaited final omnibus rule updating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, according to a January 17, 2013, press release from HHS. According to the press release, “the final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” The changes in the final rulemaking provide the public with increased protection and control of personal health information, HHS states. Because some of the largest breaches reported to HHS have involved business associates of healthcare providers and health plans, the changes expand many privacy and security requirements to business associates. Penalties are increased for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation. The changes also strengthen the breach notification requirements of the HITECH Act by clarifying when breaches of unsecured health information must be reported to HHS.