2013-13472. Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules  

  • Start Preamble

    AGENCY:

    Office for Civil Rights, Department of Health and Human Services.

    ACTION:

    Final rule.

    SUMMARY:

    These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164.

    Start Printed Page 34265

    DATES:

    This final rule is effective on June 7, 2013.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Andra Wicks 202-205-2292.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Executive Summary and Background

    On January 25, 2013, the Department of Health and Human Services (HHS or “the Department”) published a final rule to implement changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (“the HIPAA Rules”) pursuant to statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”), pursuant to section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008, to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities. See 78 FR 5566. Since then, HHS has discovered a number of minor inadvertent errors and omissions in citations, and one typographical error, in several provisions of the HIPAA Rules. As explained below, with one exception, the errors and omissions are related to the modifications made in the final rule published on January 25, 2013. This final rule contains technical corrections to the HIPAA Rules to revise these errors and omissions, which are discussed below.

    II. Discussion of Technical Corrections to 45 CFR Part 160

    a. Section 160.508(c)(5) should be corrected to refer to § 160.410(b)(2)(ii)(B) and 42 U.S.C. 1320d-5(b)(2)(B) instead of § 160.410(b)(3)(ii)(B) and 42 U.S.C. 1320d-5(b)(3)(B), respectively, as § 160.410(b)(3)(ii)(B) and 42 U.S.C. 1320d-5(b)(3)(B) were previously amended and became § 160.410(b)(2)(ii)(B) and 42 U.S.C. 1320d-5(b)(2)(B) as a result. Also, § 160.508(c)(5) should include a reference to § 160.410(c)(2)(ii) after the reference to § 160.410(b)(2)(ii)(B), so that there is a corresponding regulatory reference for the grant of an extension of time pursuant to the Secretary's discretion for violations occurring on or after February 18, 2009, as there is for violations occurring prior to February 18, 2009.

    b. Section 160.548(e) references an affirmative defense by which the Secretary may not impose a civil money penalty on a covered entity if the violation falls under the HIPAA criminal provisions at 42 U.S.C. 1320d-6 and cites § 160.410(b)(1) as the regulatory reference for this affirmative defense. However, § 160.410(b)(1) was changed to be § 160.410(a)(1) and (2). Thus, § 160.548(e) should be corrected to refer to § 160.410(a)(1) or (2) instead of § 160.410(b)(1).

    III. Discussion of Technical Corrections to 45 CFR Part 164

    a. The definition of health care component found at § 164.103 references § 164.105(a)(2)(iii)(C), but that reference should be corrected to be § 164.105(a)(2)(iii)(D), as § 164.105(a)(2)(iii)(D) now contains the hybrid entity designation requirements referenced by the definition of health care component.

    b. The definition of hybrid entity found at § 164.103 references § 164.105(a)(2)(iii)(C), but that reference should be corrected to be § 164.105(a)(2)(iii)(D), as § 164.105(a)(2)(iii)(D) now contains the hybrid entity designation requirements referenced by the definition of hybrid entity.

    c. Section 164.314(a)(1), in discussing business associate contracts or other arrangements, refers to the requirements for such contracts or other arrangements found at § 164.308(b)(4). However, as such requirements were renumbered and are now found at § 164.308(b)(3), § 164.314(a)(1) should be revised to refer to § 164.308(b)(3).

    d. Section 164.512(k)(4)(i) refers to Executive Order (“E.O.”) 12698. However E.O. 12698 discusses pay rate adjustments and is not applicable to the subject of § 164.512(k)(4)(i). The preamble to the 2000 HIPAA Privacy Final Rule refers to E.O. 12968, which discusses classified information and is applicable to the subject of § 164.512(k)(4)(i). See 65 FR 82707. Given that § 164.512(k)(4)(i) relates to uses and disclosures of protected health information to the Department of State to determine medical suitability for the purpose of a required security clearance, as discussed in the preamble to the 2000 Privacy Final Rule, § 164.512(k)(4)(i) should properly refer to E.O. 12968.

    e. Section 164.514(f)(2)(iv), in discussing the implementation specifications for covered entities that make fundraising communications, refers to the requirements to allow an individual to opt out of receiving fundraising communications, and erroneously refers to § 164.514(f)(1)(ii)(B), which does not exist. The proper reference for the opt out requirements is at § 164.514(f)(2)(ii). Accordingly, § 164.514(f)(2)(iv) should be revised to refer to § 164.514(f)(2)(ii).

    f. Section 164.524(c)(4)(iv) describes the summary or explanation allowed by § 164.524(c)(2)(iii), while incorrectly referring to § 164.524(c)(2)(ii), which discusses the form of access requested by an individual. As such, § 164.524(c)(4)(iv) should be revised to refer to § 164.524(c)(2)(iii).

    g. In section 164.532(f), the “[” should be removed before “January 25, 2013” to correct a typographical error.

    IV. Inapplicability of Notice and Delayed Effective Date

    Under the Administrative Procedure Act, an agency may waive the normal notice and comment procedures if it finds, for good cause, that they are impracticable, unnecessary, or contrary to the public interest. The Department has determined that the corrections in this final rule are minor, routine determinations in which the public would not be particularly interested, or about which the public has already been put on notice, given the context of the errors or omissions to be corrected. Therefore, the Department finds that good cause exists for waiving the notice and public comment procedures as unnecessary under 5 U.S.C. 553(b)(B). For the same reasons, pursuant to 5 U.S.C. 553(d)(3), a delayed effective date is not required.

    V. Regulatory Flexibility Act

    Because this document is not subject to the notice and public procedure requirements of 5 U.S.C. 553, it is not subject to the provisions of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.).

    VI. Executive Order 12866

    These technical corrections do not meet the criteria for a “significant regulatory action” as specified in Executive Order 12866, as supplemented by Executive Order 13563.

    Start List of Subjects

    List of Subjects

    45 CFR Part 160

    • Administrative practice and procedure
    • Computer technology
    • Electronic information system
    • Electronic transactions
    • Employer benefit plan
    • Health
    • Health care
    • Health facilities
    • Health insurance
    • Health records
    • Hospitals
    • Investigations
    • Medicaid
    • Medical research
    • Medicare
    • Penalties
    • Privacy
    • Reporting and recordkeeping requirements
    • Security

    45 CFR Part 164

    • Administrative practice and procedure
    • Computer technology,
    End List of Subjects

    For the reasons set forth in the preamble, the Department amends 45 CFR Subtitle A, Subchapter C, parts 160 and 164, as set forth below:

    Start Part

    PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS

    End Part Start Amendment Part

    1. The authority citation for part 160 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279; and sec. 1104 of Pub. L. 111-148, 124 Stat. 146-154.

    End Authority
    [Amended]
    Start Amendment Part

    2. Amend § 160.508(c)(5) by correcting “§ 160.410(b)(3)(ii)(B)” to read “§ 160.410(b)(2)(ii)(B) or (c)(2)(ii)” and by correcting “ 42 U.S.C. 1320d-5(b)(3)(B)” to read “42 U.S.C. 1320d-5(b)(2)(B)”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    3. Amend § 160.548(e) by correcting “§ 160.410(b)(1)” to read “§ 160.410(a)(1) or (2)”.

    End Amendment Part Start Part

    PART 164—SECURITY AND PRIVACY

    End Part Start Amendment Part

    4. The authority citation for part 164 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.

    End Authority
    [Amended]
    Start Amendment Part

    5. Amend § 164.103 as follows:

    End Amendment Part Start Amendment Part

    a. In the definition of health care component, by correcting “§ 164.105(a)(2)(iii)(C)” to read “§ 164.105(a)(2)(iii)(D)”.

    End Amendment Part Start Amendment Part

    b. In the definition of hybrid entity, by correcting “§ 164.105(a)(2)(iii)(C)” to read “§ 164.105(a)(2)(iii)(D)”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    6. Amend § 164.314(a)(1) by correcting “§ 164.308(b)(4)” to read “§ 164.308(b)(3)”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    7. Amend § 164.512(k)(4)(i) by correcting “12698” to read “12968”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    8. Amend § 164.514(f)(2)(iv) by correcting “paragraph (f)(1)(ii)(B)” to read “paragraph (f)(2)(ii)”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    9. Amend § 164.524(c)(4)(iv) by correcting “paragraph (c)(2)(ii)” to read “paragraph (c)(2)(iii)”.

    End Amendment Part
    [Amended]
    Start Amendment Part

    10. Amend the introductory text of § 164.532(f) by correcting “[January 25, 2013” to read “January 25, 2013”.

    End Amendment Part Start Signature

    Dated: May 31, 2013.

    Jennifer M. Cannistra,

    Executive Secretary to the Department.

    End Signature End Supplemental Information

    [FR Doc. 2013-13472 Filed 6-6-13; 8:45 am]

    BILLING CODE 4153-01-P

Document Information

Comments Received:
0 Comments
Effective Date:
6/7/2013
Published:
06/07/2013
Department:
Health and Human Services Department
Entry Type:
Rule
Action:
Final rule.
Document Number:
2013-13472
Dates:
This final rule is effective on June 7, 2013.
Pages:
34264-34266 (3 pages)
RINs:
0945-AA03: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
RIN Links:
https://www.federalregister.gov/regulations/0945-AA03/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules
Topics:
Administrative practice and procedure, Computer technology, Employee benefit plans, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and recordkeeping requirements
PDF File:
2013-13472.pdf
Supporting Documents:
» Patient Protection and Affordable Care Act: Benefit and Payment Parameters for 2022; Updates to State Innovation Waiver Implementing Regulations
» Guidance: Good Guidance Practices; Correction
» National Vaccine Injury Compensation Program: Revisions to the Vaccine Injury Table
» Amendments to the HHS-Operated Risk Adjustment Data Validation Under the Patient Protection and Affordable Care Act's HHS-Operated Risk Adjustment Program
» Transparency in Coverage
» UA: Reg Flex Agenda
» Medicare and Medicaid Programs: CY 2020 Hospital Outpatient PPS Policy Changes and Payment Rates and Ambulatory Surgical Center Payment System Policy Changes and Payment Rates; Price Transparency Requirements for Hospitals to Make Standard Charges Public
» Administrative Simplification: Rescinding the Adoption of the Standard Unique Health Plan Identifier and Other Entity Identifier
» Protecting Statutory Conscience Rights in Health Care; Delegations of Authority
» Patient Protection and Affordable Care Act: Increasing Consumer Choice through the Sale of Individual Health Insurance Coverage Across State Lines Through Health Care Choice Compacts
CFR: (8)
45 CFR 160.508
45 CFR 160.548
45 CFR 164.103
45 CFR 164.314
45 CFR 164.512
More ...