Addressing New Requirements Under the HIPAA Omnibus Rule: Breach Notification, Marketing using PHI, Sales of PHI, and Clinical Research

On Thursday, January 17, 2013, the Department of Health and Human Services Office for Civil Rights (“HHS”) released in pre-publication form the rule commonly known as the “HIPAA Omnibus Rule.” Later published in the Federal Register on January 25, 2013, the HIPAA Omnibus Rule codifies:

i. changes in the notice of proposed rulemaking (“NPRM”) entitled, “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (“HITECH”), published on July 14, 2010, with some modifications,
ii. changes in the Interim Final Breach Notification Rule (the “Interim Breach Rule”), published on August 24, 2009, with some modifications, and
iii. the changes previously proposed to HIPAA under the Genetic Information Nondiscrimination Act (“GINA”).
The HIPAA Omnibus Rule will be effective on March 26, 2013. Covered entities and business associates must comply with most requirements within 180 days, or by September 23, 2013.

This presentation will discuss the new requirements under the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. In particular, the presentation will be oriented toward steps covered entities and business associates should undertake to meet the heightened requirements for breach notification, marketing practices, sale of protected health information, business associate and subcontractor arrangements, and notices of privacy practices. The presentation explored changes to research and clinical trial requirements, as well as new approaches to hybrid entities and liability issues.