On January 17, 2013, the Office of Civil Rights of the U.S. Department of Health and Human Services issued a long-awaited omnibus rule (the "Omnibus Rule"), which modifies a wide range of privacy, security and breach notification requirements under the Health Insurance Portability and Accountability Act ("HIPAA"). The Omnibus Rule, among other things:
- Replaces the controversial "risk of harm" standard for determining whether a reportable data breach has occurred with a new test focused on whether data has been "compromised."
- Extends the reach of HIPAA to business associates.
- Tightens restrictions on the use of protected health information ("PHI") for marketing purposes.
- Gives non-profit organizations greater leeway in using clinical information for fundraising.
- Provides greater flexibility for researchers seeking to obtain patient authorization for the use of PHI for research.
- Integrates protections governing genetic information established under other laws.
- Enhances patients' electronic access to their medical records.
The article highlights the new requirements for healthcare providers, health plans and other covered entities under the Omnibus Rule and discusses how privacy and security policies, privacy notices and business associate contracts must be revised to come into compliance.
Read the article here.