HHS Issues New HIPAA Omnibus Rule

HHS Issues New HIPAA Omnibus Rule

HHS issued the new HIPAA omnibus rule yesterday. The new rule contains important changes for health care providers and their business associates. For example, the new rule:

  • Modifies the standard for reporting breaches to patients and HHS. HHS replaced the former "no harm, no foul" rule with a new standard: a breach is presumed unless the covered entity can demonstrate a low probability that the protected health information has not been compromised. This requires an assessment of specified factors and will likely increase the number of reportable breaches.
  • Confirms HIPAA requirements for business associates and their subcontractors. Business associates are subject to HIPAA penalties if they fail to comply. The definition of "business associates" was expanded to include entities that provide data transmission services for protected health information and require routine access to the information.
  • Confirms providers are liable for their business associate's violations if the business associate is acting as the agent for the provider. The rule's commentary contains a helpful analysis for determining whether an agency relationship exists.
  • Makes it easier for family members to obtain information about decedents. The rule also confirms that HIPAA does not apply to information 50 years after the decedent's death.
  • Expands patients' right to obtain electronic copies of their records.
  • Prohibits providers from disclosing information to health insurers if the patient pays for the treatment and requests that the information not be disclosed to insurers. Implementation will create significant practical problems for practitioners.
  • Prohibits the sale of protected health information unless certain conditions are satisfied.
  • Imposes additional requirements for the use of protected health information for marketing or fundraising. Among other things, an authorization is required to disclose information for treatment purposes if the provider is receiving remuneration for the disclosure.
  • Requires new provisions to be added to providers' Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient's right to receive notice of HIPAA breaches.

The new rules take effect March 23, 2013, but covered entities and business associates will have until September 23, 2013 to comply. Before then, providers will need to take certain actions to remain compliant, including:

  • Modify their Notice of Privacy Practices.
  • Update and/or execute new business associate contracts, including contracts for subcontractors and health information organizations. Existing compliant contracts do not need to be modified until September 2014.
  • Revise privacy, security and breach notification policies to incorporate the new requirements.
  • Modify authorizations and other forms as necessary to track the new rules.
  • Ensure their electronic medical records programs have the functionality to address the new regulatory requirements.
  • Take even greater care to protect patient information given the new standard for evaluating whether breaches are reportable.

Business associates will also need to implement HIPAA privacy and security policies and safeguards applicable to business associates. HHS estimates that complying with the new requirements will cost affected parties a total of $114 million to $225 million during the first year. The new rule can be accessed at: http://www.ofr.gov/. HHS's press release can be accessed at www.hhs.gov/news/press/2013pres/01/20130117b.html.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.