Final HIPAA Privacy and Security Rules

January 24, 2013

On January 17, 2013, the U.S. Department of Health and Human Services (“HHS”) released the long-awaited final HIPAA Privacy and Security Rules (the “Final Rules”)

The Final Rules are effective March 26, 2013. Covered entities and business associates will have until September 23, 2013, to come into compliance. According to the HHS Office of Civil Rights, the Final Rules “mark… the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”

Among other things, the Final Rules:

Give patients greater protection and control of their protected health information (“PHI”).
Expand the privacy and security requirements to “business associates,” such as contractors of providers, plans and others, and define their direct liability for compliance with many aspects of the Final Rules.
Increase penalties for non-compliance up to $1.5 Million per violation.
Strengthen the HITECH Act breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Expand a patient’s right to a copy of his or her electronic medical records in electronic form.
Set new limits on how PHI may be used for marketing and fundraising purposes.
Require modifications to, and redistribution of, a covered entity’s Notice of Privacy Practices.

Attorney Advertisement: This is an advertisement for the Health Law Bulletin published by Miller Health Law Group, APLC. This Health Law Bulletin is neither intended, nor should it be used, as a substitute for specific legal advice.