As NASL reported earlier this month, HHS published a final omnibus rule to improve patient protections established under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) in the Federal Register on January 25, 2013. The 563-page final omnibus rule modifies four HIPAA rules, including: HIPAA Privacy & Security Rules mandated in the Health Information Technology for Economic & Clinical Health (HITECH) Act enacted as part of the American Recovery & Reinvestment Act (ARRA) as well as the Genetic Information Nondiscrimination Act of 2008 (GINA). 

In a press release announcing the rules, HHS Secretary Kathleen Sebelius explained that the rules expand patients’ rights, such as allowing patients to request copies of their electronic medical records. The rule streamlines patients’ ability to authorize the use of their health information for research purposes and limit show patient information can be used for marketing purposes. The rule also clarifies when a breach regarding health information must be reported to HHS. There are increased penalties for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation. In addition, the requirements that covered entities have followed in safeguarding patient health information will extend to business associates that receive protected health information (i.e., contractors and subcontractors of covered entities that receive protected health information). Additional information will be posted on NASL's Members Only site.