HIPPA Update

After almost four years, the Department of Health and Human Services has finally released its “omnibus” Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Act regulation, implementing changes to the HIPAA Privacy, Security and Enforcement Rules, as well as the interim final regulation on breach notification and certain changes to the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA). The regulation was published in the Federal Register on January 25, 2013. (http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf)

The attachments, compiled by VGM’s Mark Higley, describes the highlights of these new provisions.  Most of these provisions are not “new,” as they implement specific HITECH provisions and adopt the elements of the earlier proposed rule from July 2010.

Nonetheless, these provisions are quite important for the entire health care industry, including HIPAA covered entities, business associates of these covered entities, downstream contractors of these business associates and a wide variety of entities who otherwise use and disclose health-related information.  There are a number of important new compliance obligations and challenges, for both covered entities and business associates, as well as several new issues to evaluate. 

Mark has included a sample/template business associate agreement appropriate to the Final Rule.   

The final rule is “effective” on March 26, 2013.  Covered entities and business associates must comply with the new provisions by September 23, 2013 (180 days after the effective date).  

Questions?  Contact mark at mark.higley@vgm.com or 888.224.1631


VGM summary of the final omnibus HIPAA.doc


Greg A. Packer

Vice President U.S. Rehab

800.987.7342  Ext.6566

 Heartland  Conference – June 10-13, 2013

  Watch for details!