This afternoon, the Department of Health and Human Services posted a long-awaited, 563-page omnibus final rule under HIPAA, which will be published in the Federal Register on January 25, 2013, and which makes a variety of modifications to HIPAA’s Privacy, Security, Breach Notification, and Enforcement Rules. According to the executive summary of the rule, these modifications are necessary “to strengthen the privacy and security protections . . . for individual’s health information maintained in electronic health records and other formats. This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.”
Note that while the effective date of the final rules is March 26, 2013, covered entities have until September 23, 2013, to achieve compliance.
We will have further analysis on this final rule in the coming days.