HIPAA: The Final Rule
Summary: HHS has announced the “final rule” on HIPAA (effective March 26, 2013) which extends patient rights, imposes more severe penalties for breach, and extends HIPAA compliance to Business Associates and subcontractors.
After 3 years and hundreds of proposals, the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has released what is referred to as:
- The Omnibus Rule
- The Final Rule
- The Final Act
- The Mega Rule
The Rule becomes effective as of March 26, 2013 requiring physicians as well as other covered entities to be in compliance as of Sept 23, 2013. The government has released cost estimates for complying with new forms, documents, contracts, and practices to be somewhere between $114 million and $225 million.
History of HIPAA
1996 – HIPAA Enacted
1998
- Published NRPM transactions
- Published code sets
- Published national employer identifier
- Published security
1999 –Clinton Administration announced proposed rules on Privacy Standards for Individually identifiable health information, which was published in the Federal Register
2000
- 60 day comment period for Privacy Standards which was extended
- Transaction and code sets final rule published
- Privacy final rule published
2002
- CMH announced the adoption of EIN as the standard unique identifier for employers in the filing and processing of health care claims
- Final modifications to the Privacy Rule published
2003
- Modifications to transactions and code sets regulation and implementation guide addenda published
- Privacy compliance deadline
- Interim final rule on civil money penalties procedures published
- Interim final rule on electronic submission of Medicare claims published
- Set expected date for transaction and code sets for small health plans and covered entities that filed a compliance plan to delay implementation
2004 – standard unique employer identifier compliance deadline
2005 – security compliance deadline
2007 – national provider identifier compliance deadline
2008 – national provider identifier compliance deadline for small health plans and the end of NPI contingency period
2012 – HIPAA 5010 compliance date
2013
- ICD-10 compliance expected
- HIPAA Final Rule
Quotes on the Rule itself
Secretary Kathleen Sebelius – “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
OCR Director Leon Rodriguez, J.D. said the final rule “marked the most sweeping changes to the HIPAA privacy and security rule since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
The Rule is appropriately named as it brings finality to four different rules which were previously proposed.
Finalizes 4 separate rule makings:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
- Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
- A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rules “harm” threshold with a more objective standard and supplants an interim final rule published August, 24, 2009.
- A rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October
7, 2009.
Part 2 will explain the implications of this rule
BHM Healthcare Solutions – a healthcare management consulting firm.
1-888-831-1171
