In the most significant re-write of HIPAA since the law was enacted, the Department of Health and Human Services (HHS) issued omnibus HIPAA regulations which will require substantial operational changes for HIPAA covered entities  and their business associates. Here are ten important changes:
  • Changes to the data breach rule will make more incidents reportable. 
  • Business associates are directly liable for HIPAA violations and business associate agreements must be modified.
  • HIPAA enforcement is moving toward a penalty-based system and away from voluntary compliance.
  • Patients have enhanced rights to electronic copies of records and some patient requests for restrictions must be honored.
  • HIPAA notices of privacy practices need to be revised.
  • The marketing rules require individual authorization for subsidized treatment communications.
  • Researchers can obtain permission to use data for future unspecified research.
  • Fundraising provisions expand the permissible use of patient data to target appeals.
  • Privacy Rule protections expire for persons deceased for more than 50 years.
  • Compliance with most of the new requirements will be required on September 23, 2013.


Researchers can obtain permission to use data for future unspecified research
HHS modified its previously-held interpretation that an authorization for the use or disclosure of PHI for research must be study specific. Under the new rule, an authorization may permit future research provided that the future research is adequately described such that the individual has a reasonable expectation that his/her PHI could be used or disclosed for such future research. In addition, covered entities will be permitted to combine conditioned and unconditioned authorizations for research (e.g., authorization for research activities where treatment is conditioned on signing the authorization and activities where treatment is not conditioned on signing the authorization), provided that the authorization (i) clearly differentiates between the conditioned and unconditioned research components, and (ii) provides the individual with the opportunity to “opt-in” to the unconditioned research activities. HHS gives covered entities, research institutions, and institutional review boards discretion in determining how to differentiate the conditioned and unconditioned research activities and does not prescribe a particular format.