March Target for HIPAA Modifications

HHS Office for Civil Rights Clarifies Its Regulatory Goals

By , February 15, 2012.
March Target for HIPAA Modifications

The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January "unified agenda" document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.

The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

"OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country," McAndrew told HealthcareInfoSecurity. "OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed."

In mid-2010, OCR issued a proposed version of the HIPAA modifications, which would, among other things, require business associates to comply. An interim final version of the HIPAA breach notification rule is now in effect until the final version is released. OCR submitted a final version for review by the Office of Management and Budget in 2010 and then withdrew it (see: Final Breach Notification Rule on Hold). It's been on hold ever since.

The interim final version of the breach rule contains a controversial harm standard that enables organizations to conduct a risk assessment to determine whether a breach represents a significant risk of harm to individuals and thus merits reporting.

The January unified agenda document also lists a June target date for OCR's release of a final version of the Accounting of Disclosures Rule. The proposed version of this rule contained a controversial provision that calls for providing patients with an "access report" listing everyone who's electronically accessed their records.

In the Feb. 13 regulatory agenda, the HHS Office of the National Coordinator for Health IT announced plans to release in February proposed guidelines for Stage 2 of the HITECH electronic health record incentive program. Those guidelines are expected to include beefed-up privacy and security provisions.

OCR Budget Cuts

President Obama's proposed fiscal 2013 budget includes a 5 percent cut in spending for OCR. The HHS budget contends that "process improvements and administrative efficiencies" are enabling the office to operate on a slimmer budget (see: Budget Cut Would Hit HIPAA Enforcer).

OCR recently launched a HIPAA compliance audit program for 2012 that McAndrew acknowledges is funded by the HITECH Act, part of the economic stimulus package, and not the HHS budget. Asked whether there will be HITECH funding available for more audits after 2012, she notes, "There may be residual funds available in the following year for the evaluation step of the pilot program."

Regarding the impact of the budget cut on OCR's HIPAA enforcement activities, McAndrew says, "OCR's posture with respect to pursuing enforcement and compliance is aggressive because entities need to be aware that there are costs associated with non-compliance. It has been some time now that the HIPAA privacy and security rules have been in effect, and it should be clear to covered entities that there are penalties associated with failing to comply with the rules."

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Windows Warning: Zero-Day Attack

Almost all versions of Windows are vulnerable to an OLE flaw that is being actively exploited in...

Latest Tweets and Mentions

ARTICLE Windows Warning: Zero-Day Attack

Almost all versions of Windows are vulnerable to an OLE flaw that is being actively exploited in...

The ISMG Network