HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the “Stimulus Bill,” to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Via HHS Press Release:
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Centers for Medicare & Medicaid Services will postpone the start of HIPAA Transaction Rules compliance enforcement for 90 days, according to a recent announcement.
Today, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that to reduce the potential of significant disruption to the health care industry, it will not initiate enforcement action until March 31, 2013, with respect to HIPAA covered entities (including health plans, health care providers, and clearinghouses, as applicable) that are not in compliance with the operating rules adopted for the following transactions as required by the Affordable Care Act: eligibility for a health plan and health care claim status. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for using the operating rules remains January 1, 2013.
Industry feedback suggests that HIPAA covered entities have not reached a threshold whereby a majority of covered entities would be able to be in compliance with the operating rules by January 1, 2013. This enforcement discretion period does not prevent applicable HIPAA covered entities that are prepared to conduct transactions using the adopted operating rules from doing so, and all applicable covered entities are encouraged to determine their readiness to use the operating rules as of January 1, 2013 and expeditiously become compliant. Although enforcement action will not be taken, OESS will accept complaints associated with compliance with the operating rules beginning January 1, 2013. If requested by OESS, covered entities that are the subject of complaints (known as “filed-against entities”) must produce evidence of either compliance or a good faith effort to become compliant with the operating rules during the 90-day period. HHS will continue to work to align the requirements under Section 1104 of the Affordable Care Act to optimize industry’s ability to achieve timely compliance.
OESS is the U.S. Department of Health and Human Services’ (HHS) component that enforces compliance with HIPAA transaction and code set standards, including operating rules, identifiers and other standards required under HIPAA by the Affordable Care Act.
For copies of the operating rules for the eligibility for a health plan and health care claim status transactions, visit the Council for Affordable Quality Healthcare (CAQH) CORE website athttp://www.caqh.org. Links to information on the operating rules for eligibility for a health plan and health care claim status are available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/OperatingRulesforEligibilityandClaimsStatus.html