Happy MLK Jr. Day!
On Thursday of last week, the U.S. Department of Health and Human Services announced that it had issued a Final Omnibus Rule modifying HIPAA’s Privacy, Security, Enforcement and Breach Rules and HITECH’s Breach Notification Rule.
Health and Human Services Office for Civil Rights Director, Leon Rodriguez, stated that the modification brings “sweeping changes” to HIPAA’s Privacy and Security Rules. The sweeping changes include, among other things:
– Extension of HIPAA’s provisions to “business associates” and other downstream vendors
– Modifications to permissible marketing activities
– New provisions for potential data breach analysis and notification
– Modifications to an individual’s right to receive his/her PHI
– Restrictions on the use or disclosure of genetic information for underwriting purposes
The Final Rule totals 563 pages. Affected parties should thus be tuned into developments in how the modifications are ultimately interpreted and implemented.
Much attention has been directed to how the Final Rule affects business associates, such as cloud services providers and other third party industry players. But another important modification included in the Final Rule was that made to the Genetic Information Non-Discrimination Act of 2008 (GINA). The modification included confirmation of a “prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule” (there is an exception for certain long term care policies).
Coincidentally (or no?), the day the Final Rule was issued, a team of researchers published an article in Science describing how they were able to identify 50 people using the DNA that they had submitted for research purposes. The researchers made the identification simply by pairing the genetic information from the DNA strands with information from publicly available online tools, such as Google searches and genealogy databases. The New York Times and other media have reported on the Science article.
This development underscores the increasingly important role that genetic information serves in both scientific research and medical care. The updates to GINA included in the Final Rule recognize this trend. It is likely that additional attention will be given to issues of privacy and genetically-sourced information (including PHI) as technology and medical practice develops.