The U.S. Department of Health and Human Services (HHS) released a final rule to expand the Health Insurance Portability and Accountability Act (HIPAA). The effective date of the final rule is March 26, 2013, and covered entities and business associates have 180 days after the effective date to comply with the final rule provisions.

The final rule includes the following provisions:

  1. Updates the definition of “electronic media” to comport with modern and evolving technology
  2. Requires covered entities to obtain authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration
  3. Grants individuals enhanced rights to receive electronic copies of their PHI and restricts disclosure to a health plan concerning treatment for which the individual pays out of pocket in full
  4. Requires covered entities to change their privacy notices to describe certain uses and disclosures of PHI and to redistribute to patients
  5. Modifies the definition of PHI to not include individually identifiable health information of persons who have been deceased for over 50 years and modifies individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools
  6. Prohibits health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act