Benefits and Compensation

Final HITECH Omnibus Rules Tighten Breach Notification

The HITECH Act is now here in full. The whole litany of tighter privacy and security requirements is in the long-awaited, long-delayed “omnibus” rules finalized Jan. 17 by the U.S. Department of Health and Human Services, and most of these will have to be met by this Sept. 23.

The omnibus rules also include changes to the HITECH breach notification rules that have been in place, in interim final form, since 2009. As many suspected, HHS tightened the controversial “risk of harm” standard for determining what is a “breach” requiring notice to affected individuals.

The final rules do stop short of “requiring notification for all impermissible uses and disclosures without any assessment of risk,” as some privacy advocates had urged. But such a disclosure will be presumed to be a breach unless the health plan or other entity can demonstrate “a low probability that the protected health information has been compromised.”

The rules showed up in the Jan. 25 Federal Register, with an effective date of March 26. The compliance deadline for most of the rules is Sept. 23, 2013, except that covered entities have until Sept. 23, 2014, to reopen and amend all their contracts with business associates.

The sweeping new rules, and all their implications for plan sponsors, are detailed in the Employer’s Guide to HIPAA Privacy Requirements.