On March 26, 2012, the U.S. Department of Health and Human Services announced that several final HIPAA rules have been sent to the White House Office of Management and Budget (“OMB”) for final review. The Office for Civil Rights Deputy Director for Health Information announced that the OMB review process is expected to take 90 days. Once the review is complete, the rules could become final.
The omnibus rule will include the following:
- The final breach notification rule;
- The final HIPAA enforcement rule;
- The final rule implementing the HIPAA privacy and security changes that were mandated by the HITECH Act; and
- The final rule implementing HIPAA changes made by the Genetic Information Nondiscrimination Act (GINA).
The Office for Civil Rights also announced that it would be issuing guidance in the coming months to address certain provisions in the rule, including how to de-identify data and how to define “minimum necessary.”
Based on the proposed rules, it is anticipated that following the final rule, covered entities and business associates will be required to revise their Notice of Privacy Practices and Business Associate Agreements, as well as many of their HIPAA privacy and security policies.