Blog: Chronicle of Data Protection | 22 January 2013

HHS Issues New HITECH/HIPAA Rule: Top Ten Changes

In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates.  Ten important changes are:

• Changes to the data breach rule will make more incidents reportable.
• Business associates are directly liable for HIPAA violations and business associate agreements must be modified.
• HIPAA enforcement is moving toward a penalty-based system and away from voluntary compliance.
• Patients have enhanced rights to electronic copies of records and some patient requests for restrictions must be honored.
• HIPAA notices of privacy practices need to be revised.
• The marketing rules require individual authorization for subsidized treatment communications.
• Researchers can obtain permission to use data for future unspecified research.
• Fundraising provisions expand the permissible use of patient data to target appeals.
• Privacy Rule protections expire for persons deceased for more than 50 years.
• Compliance with most of the new requirements will be required on September 23, 2013.