Newly-Released HIPAA Omnibus Rule Modifies Privacy, Security and Breach Notification Requirements

Authors: Robert D. Belfort | Anne Karl | Karen Y. Lam | Emily Lee 

On January 17, 2013, the Office of Civil Rights of the U.S. Department of Health and Human Services issued a long-awaited omnibus rule (the "Omnibus Rule"), which modifies a wide range of privacy, security and breach notification requirements under the Health Insurance Portability and Accountability Act ("HIPAA").  The Omnibus Rule, among other things:

• Replaces the controversial "risk of harm" standard for determining whether a reportable data breach has occurred with a new test focused on whether data has been "compromised."
• Extends the reach of HIPAA to business associates.
• Tightens restrictions on the use of protected health information ("PHI") for marketing purposes.
• Gives non-profit organizations greater leeway in using clinical information for fundraising.
• Provides greater flexibility for researchers seeking to obtain patient authorization for the use of PHI for research.
• Integrates protections governing genetic information established under other laws.
• Enhances patients' electronic access to their medical records.

A new article authored by Robert Belfort, Anne O'Hagen Karl, Karen Lam and Emily Lee and published in Bloomberg BNA Health IT Law & Industry Report highlights the new requirements for healthcare providers, health plans and other covered entities under the Omnibus Rule and discusses how privacy and security policies, privacy notices and business associate contracts must be revised to come into compliance. 

To read the full article, click here.

To help interpret the Omnibus Rule and its implications for the healthcare industry, Manatt partners Robert Belfort and Helen Pfister will lead a complimentary webinar discussion on February 12, 2013 at 2:00 pm Eastern.  Registration details will be distributed shortly.