CHA News Article

HHS Releases Final Rule on HIPAA and HITECH
CHA to prepare summary that includes impact on California laws

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released the long-awaited final rule modifying existing HIPAA privacy regulations and implementing the Health Information Technology for Economic and Clinical Health Act. The rule will become effective March 26; however, OCR has indicated it will not enforce the new provisions until Sept. 23. Existing business associate agreements do not need to be modified until Sept. 23, 2014, or their next amendment date, whichever comes first. 

The rule addresses:

  • Definitions of terms.
  • Business associate requirements.
  • Expanded breach notification requirements.
  • Use of protected health information (PHI) for marketing and fundraising.
  • Disclosure of immunization PHI to schools.
  • Sale of PHI.
  • Patients’ rights to request nondisclosure of PHI to payer if the patient paid out of pocket for the service.
  • Patient access to electronic PHI.
  • Content of the Notice of Privacy Practices.
  • Authorization to use/disclose PHI for research.
  • Privacy rights of decedent’s PHI.
  • Genetic information privacy.
  • OCR enforcement policies.

The rule, attached, does not address accounting for disclosure from an electronic health record or a penalty distribution methodology. These will be subjects for future rulemaking.

CHA is preparing a summary of the final rule that will clarify how it affects similar California health information privacy law provisions. In addition, CHA will schedule educational seminars to explain the new rule and its implications. Finally, CHA will update the California Health Information Privacy Manual and sample forms to reflect the new requirements.