ii. Summary of Major Provisions
This omnibus final rule is comprised of the following four final rules:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules
mandated by the Health Information Technology for Economic and Clinical
Health (HITECH) Act, and certain other modifications to improve the Rules,
which were issued as a proposed rule on July 14, 2010. These modifications:
Make business associates of covered entities directly liable for compliance
with certain of the HIPAA Privacy and Security Rules requirements.
Strengthen the limitations on the use and disclosure of protected health
information for marketing and fundraising purposes, and prohibit the sale of
protected health information without individual authorization.
Expand individuals rights to receive electronic copies of their health
information and to restrict disclosures to a health plan concerning treatment
for which the individual has paid out of pocket in full.
Require modifications to, and redistribution of, a covered entitys notice of
Modify the individual authorization and other requirements to facilitate
research and disclosure of child immunization proof to schools, and to enable
access to decedent information by family members or others.
Adopt the additional HITECH Act enhancements to the Enforcement Rule not
previously adopted in the October 30, 2009, interim final rule (referenced
immediately below), such as the provisions addressing enforcement of
noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the
increased and tiered civil money penalty structure provided by the HITECH Act,
originally published as an interim final rule on October 30, 2009.
3. Final rule on Breach Notification for Unsecured Protected Health Information
under the HITECH Act, which replaces the breach notification rules harmthreshold with a more objective standard and supplants an interim final rule
published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic
Information Nondiscrimination Act (GINA) to prohibit most health plans from
using or disclosing genetic information for underwriting purposes, which was
published as a proposed rule on October 7, 2009.
You can read the whole 563 pages if you like at