Run over by the HIPAA bus?

Were you run over by the HIPAA bus yesterday?  The Omnibus final rule finally landed with a crunch last night.  If you check out #HIPAAbus, you'll see my notes from my blaze through with page numbers.  My notes are below.  I haven't actually read the rule, yet, just the commentary up through the start of the financial impact assessment (which I nearly always skip).  If you find federal regulation boring, skip to the fun stuff at the end of this post.

The new rule modifies the HIPAA Privacy & Security Rules to implement HITECH, strengthens privacy protections under GINA, makes other changes to simplify thing for regulated entities, and  modifies the Breach Notification Rule to address public comments.

The final rule is effective March 26, 2013; affected parties (covered entities and their business associates) must comply by September 22, 2013.  Existing BA contracts can remain in force until September 22, 2014 with certain provisions.  If modified sooner, those contracts must comply with new rules.  A 180-day period for compliance will become the norm for similar future regulation (unless exceptions are necessary).

Privacy and Security

Business Associates

  • Business associates now include patient safety organizations.
  • Health Information Organizations, e-Prescribing gateways, and PHR providers must be business associates. A PHR provider is only considered to be a BA with respect to covered entities on whose behalf they are providing services.  While requirements of a BA are contagious to other associates of a BA with respect to HIPAA, a covered entity need not have agreement with those associates.  
  • It delegates responsibility for providing assurance with respect to HIPAA for other associates to the BA.
  • BA's include entities that create, receive, maintain or transmit PHI on behalf of a covered entity.
  • Business associates are subject to direct civil penalties with respect to enforcement.

Making life easier for Patients and Family

  • Covered entities may disclose immunization status to schools with documented agreement by parent, without any signature being required.
  • Family members & caregivers are permitted access to dead person's records unless that person's prior expression to contrary is known.
  • Information about care paid for by patient can be restricted by that patient from sharing with payer or associates without any exception.  This is a right, not a request that can be denied.

ABBI Rules

There was a chunk of stuff starting around page 263 and ending around 277 that I found to be very enabling for the ABBI project.
  • When an EHR is available, the individual has a right to an electronic copy be transmitted to the individuals designee.
  • If the patient is notified about the risk of unencrypted e-mail to access PHI, and still wants e-mail, they have a right to it.
  • The individual has a right to chose to designate a third party receiver (person or entity) to transmit PHI to.


A bunch of stuff popped out as being of some interest: