1 Vol. 78 Friday, No. 17 January 25, 2013. Part II. Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act;. Other Modifications to the HIPAA Rules; Final Rule sroberts on DSK5 SPTVN1 PROD with VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\ 25 JAR2. 5566 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Department OF Health AND I. Executive Summary and Background ii. Summary of Major Provisions Human Services A. Executive Summary This omnibus final rule is comprised of the following four final rules: Office of the Secretary i.
2 Purpose of the Regulatory Action 1. Final modifications to the HIPAA. Need for the Regulatory Action Privacy, Security, and Enforcement 45 CFR Parts 160 and 164. This final rule is needed to strengthen Rules mandated by the Health the privacy and security protections Information Technology for Economic RIN 0945 AA03 and Clinical Health (HITECH) Act, and established under the Health Insurance Portability and Accountability of 1996 certain other modifications to improve Modifications to the HIPAA Privacy, the Rules, which were issued as a Security, Enforcement, and Breach Act (HIPAA) for individual's Health information maintained in electronic proposed rule on July 14, 2010. These Notification Rules Under the Health modifications: Information Technology for Economic Health records and other formats. This final rule also makes changes to the Make business associates of covered and Clinical Health Act and the Genetic entities directly liable for compliance HIPAA rules that are designed to Information Nondiscrimination Act; with certain of the HIPAA Privacy and increase flexibility for and decrease Other Modifications to the HIPAA Security Rules' requirements.
3 Burden on the regulated entities, as well Rules as to harmonize certain requirements Strengthen the limitations on the with those under the Department 's use and disclosure of protected Health AGENCY: Office for Civil Rights, information for marketing and Human Subjects Protections regulations. Department of Health and Human fundraising purposes, and prohibit the These changes are consistent with, and Services . sale of protected Health information arise in part from, the Department 's ACTION: Final rule. obligations under Executive Order without individual authorization. 13563 to conduct a retrospective review Expand individuals' rights to SUMMARY: The Department of Health and of our existing regulations for the receive electronic copies of their Health Human Services (HHS or the purpose of identifying ways to reduce information and to restrict disclosures costs and increase flexibilities under the to a Health plan concerning treatment Department '') is issuing this final rule HIPAA Rules.
4 We discuss our specific for which the individual has paid out of to: Modify the Health Insurance burden reduction efforts more fully in pocket in full. Portability and Accountability Act the Regulatory Impact Analysis. Require modifications to, and (HIPAA) Privacy, Security, and This final rule is comprised of four redistribution of, a covered entity's Enforcement Rules to implement notice of privacy practices. statutory amendments under the Health final rules, which have been combined to reduce the impact and number of Modify the individual authorization Information Technology for Economic and other requirements to facilitate and Clinical Health Act ( the HITECH times certain compliance activities need to be undertaken by the regulated research and disclosure of child Act'' or the Act'') to strengthen the immunization proof to schools, and to entities. privacy and security protection for enable access to decedent information individuals' Health information; modify Legal Authority for the Regulatory by family members or others.
5 The rule for Breach Notification for Action Adopt the additional HITECH Act Unsecured Protected Health Information enhancements to the Enforcement Rule The final rule implements changes to (Breach Notification Rule) under the the HIPAA Rules under a number of not previously adopted in the October HITECH Act to address public comment authorities. First, the final rule modifies 30, 2009, interim final rule (referenced received on the interim final rule; the Privacy, Security, and Enforcement immediately below), such as the modify the HIPAA Privacy Rule to Rules to strengthen privacy and security provisions addressing enforcement of strengthen the privacy protections for protections for Health information and noncompliance with the HIPAA Rules genetic information by implementing to improve enforcement as provided for due to willful neglect. section 105 of Title I of the Genetic by the Health Information Technology 2.
6 Final rule adopting changes to the Information Nondiscrimination Act of for Economic and Clinical Health HIPAA Enforcement Rule to incorporate 2008 (GINA); and make certain other (HITECH) Act, enacted as part of the the increased and tiered civil money modifications to the HIPAA Privacy, American Recovery and Reinvestment penalty structure provided by the Security, Breach Notification, and Act of 2009 (ARRA). The rule also HITECH Act, originally published as an Enforcement Rules (the HIPAA Rules) to includes final modifications to the interim final rule on October 30, 2009. improve their workability and Breach Notification Rule, which will 3. Final rule on Breach Notification effectiveness and to increase flexibility replace an interim final rule originally for Unsecured Protected Health for and decrease burden on the published in 2009 as required by the Information under the HITECH Act, regulated entities.
7 HITECH Act. Second, the final rule which replaces the breach notification revises the HIPAA Privacy Rule to rule's harm'' threshold with a more DATES: Effective date: This final rule is increase privacy protections for genetic objective standard and supplants an effective on March 26, 2013. information as required by the Genetic interim final rule published on August Compliance date: Covered entities Information Nondiscrimination Act of 24, 2009. and business associates must comply 2008 (GINA). Finally, the Department 4. Final rule modifying the HIPAA. with the applicable requirements of this uses its general authority under HIPAA Privacy Rule as required by the Genetic final rule by September 23, 2013. to make a number of changes to the Information Nondiscrimination Act sroberts on DSK5 SPTVN1 PROD with Rules that are intended to increase (GINA) to prohibit most Health plans FOR FURTHER INFORMATION CONTACT: workability and flexibility, decrease from using or disclosing genetic Andra Wicks 202 205 2292.
8 Burden, and better harmonize the information for underwriting purposes, SUPPLEMENTARY INFORMATION: requirements with those under other which was published as a proposed rule Departmental regulations. on October 7, 2009. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\ 25 JAR2. Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5567. iii. Costs and Benefits revising and distributing new notices of and the impossibility of monetizing the privacy practices to inform individuals value of individuals' privacy and This final rule is anticipated to have of their rights and how their information dignity, which we believe will be an annual effect on the economy of $100 is protected; (ii) costs to covered entities enhanced by the strengthened privacy million or more, making it an related to compliance with breach and security protections, expanded economically significant rule under notification requirements; (iii) costs to a individual rights, and improved Executive Order 12866.
9 Accordingly, we portion of business associates to bring enforcement enabled by the rule. We have prepared a Regulatory Impact their subcontracts into compliance with also believe that some entities affected Analysis that presents the estimated business associate agreement by the rule will realize cost savings as costs and benefits of the proposed rule. requirements; and (iv) costs to a portion The total cost of compliance with the a result of provisions that simplify and of business associates to achieve full rule's provisions is estimated to be streamline certain requirements, and compliance with the Security Rule. We between $114 million and $ summarize these costs in Table 1 below increase flexibility, under the HIPAA. million in the first year of and explain the components and Rules. However, we are unable to implementation and approximately distribution of costs in detail in the quantify such cost savings due to a lack $ million annually thereafter.
10 Costs Regulatory Impact Analysis. of data. We describe such benefits in the associated with the rule include: (i) We are not able to quantify the Regulatory Impact Analysis. Costs to HIPAA covered entities of benefits of the rule due to lack of data TABLE 1 ESTIMATED COSTS OF THE FINAL RULE. Cost element Approximate number of affected entities Total cost Notices of Privacy Practices .. 700,000 covered entities .. $ million. Breach Notification Requirements .. 19,000 covered entities .. Business Associate Agreements .. 250,000 500,000 business associates of covered entities .. 21 million 42 million. Security Rule Compliance by Busi- 200,000 400,000 business associates of covered entities .. million 113 million. ness Associates. Total .. 114 million million. B. Statutory and Regulatory Background covered entities'': Health care providers with their business associates that who conduct covered Health care provide satisfactory assurances that the i.