HHS Issues Final HIPAA Omnibus Rule
HEALTHCARE PRIVACY—U.S.January 18, 2013
The U.S. Department of Health and Human Services (HHS) yesterday prepublished its highly anticipated modifications to the HIPAA Privacy and Security rules. HHS Secretary Kathleen Sebelius said, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.” The rule specifies when data breaches must be reported to the Office for Civil Rights (OCR), sets new requirements for use of personal health information in marketing and fundraising and expands direct liability to “business associates” of HIPAA-covered entities. OCR Director Leon Rodriguez said the changes “enhance a patient’s privacy rights” and strengthen "the ability of my office to vigorously enforce” the HIPAA privacy and security rules. In this exclusive for The Privacy Advisor, George Washington Law School Prof. Daniel Solove and Center for Democracy & Technology Health Privacy Project Director Deven McGraw comment on the release.