2011 Privacy, Security Regulatory OutlookHIPAA Modifications, HITECH Breach Rule Update at Top of List
Regulators have been mostly tight-lipped about their regulatory agenda for 2011. But at a recent meeting, one official said the final version of the HITECH breach notification rule, as well as modifications to HIPAA privacy, security and enforcement rules, would be issued at the same time next year. That update came from Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Services' Office for Civil Rights, which is crafting the two rules.
In its semi-annual regulatory agenda, HHS indicated it plans to issue the final HIPAA modifications in March 2011. No other regulations related to privacy or security showed up on this agenda.
HITECH called for the HIPAA modifications to be final by February 2010, but a preliminary modification proposal was not issued until July. The proposed modifications would, among other things, extend applicability to business associates -- companies that do business with healthcare organizations and have access to patient information -- as well as their subcontractors. The modifications also would formalize the higher penalties for violations and require that organizations provide electronic copies of records to patients upon request.
In light of Greene's comments, some observers speculate that the final version of the breach notification rule might be included within the HIPAA modifications.
Breach Notification RuleThe interim final version of the breach notification rule has proven controversial because it includes a "harm standard."
Under the harm standard, healthcare organizations are allowed to conduct a risk assessment to determine whether a particular breach incident represents significant potential harm and thus merits reporting. Several members of Congress, and many consumer advocacy groups, have called for eliminating this provision and requiring that all breaches be reported.
Federal officials yanked a proposed final version of the rule earlier this year, leading many to speculate that the harm standard would be modified or eliminated. But attorney Kathy Roe of the Health Law Consultancy says regulators likely will refine, rather than eliminate, the harm standard because healthcare organizations already face a number of other compliance burdens under HITECH.
"I think where the Office for Civil Rights may go is to try to refine how organizations would go about making the business judgment as to whether or not there has been a significant risk of harm," she says. "That would keep the federal standard more in line with many state standards for breach notification."
A number of organizations, including the American Health Information Management Association, have endorsed the refinement approach. Those organizations argue that "if you give notice for every breach, you're likely giving notice in many instances where there really isn't a cause for concern," Roe explains.
HIPAA EnforcementHITECH set much higher penalties for violating HIPAA and called for ramping up of enforcement of the privacy and security rules. For example, it mandated HIPAA compliance audits and gave state attorneys general the power to file federal civil suits for HIPAA violations.
Earlier this year, the Office for Civil Rights hired Booz Allen Hamilton to create a game plan for the auditing program. This month, Greene said the office was "considering different audit models." He noted: "There are more than 1 million covered entities and business associates, so it's a challenge." He declined to reveal a timeline for the audits or any details.
An OCR spokesman told HealthcareInfoSecurity.com that a HITECH-mandated training program for state attorneys general will begin early in the new year. So far, only the Connecticut attorney general has filed a HIPAA civil suit using the new powers under the HITECH Act.
But Roe wonders whether enforcement efforts will intensify any time soon. "I have real questions as to how significant an increase there will be in enforcement activities when I consider the economics required for enforcement," she says, pointing to budgetary woes at the federal and state levels.
With complex federal health reform in the works, as well as the HITECH electronic health record incentive program, among other efforts, "You have to really wonder whether there are enough dollars and enough people to see a notable increase in enforcement activity," Roe says. She predicts that ramped-up enforcement, as well as other overdue HITECH regulatory activity, won't kick in at least until after the HIPAA modifications and the breach rule are completed.
Nevertheless, Roe advises hospitals, clinics and other healthcare organizations to take the necessary steps to not only comply with HIPAA, but also to assure patients that their information will remain secure. And a key component of that effort, she says, is staff training.
Other Privacy and Security ActionIn addition to the HIPAA modifications, the breach notification rule updates, the HIPAA audit program and the attorneys general training, the Office for Civil Rights still has on its to-do list the creation of a provision to modify the HIPAA privacy rule's accounting of disclosures guidelines.
That new provision will spell out how hospitals, clinics and others must disclose to patients that an electronic health record has been shared with those outside the organization that created the record.
Meanwhile, the HHS Office of the National Coordinator for Health IT, headed by David Blumenthal, M.D., is working on a long list of other HITECH-mandated provisions, including:
- A report to Congress, in collaboration with the Federal Trade Commission, on the privacy and security requirements for personal health records vendors, which generally are not covered by HIPAA.
- A final rule for certifying that EHR software qualifies for the HITECH incentive program, replacing the temporary EHR certification rule.
- Stage 2 "meaningful use" requirements for the Medicare and Medicaid electronic health record incentive program. HITECH mandates those requirements be completed by the end of 2011. ONC is seeking comments on a presidential commission's recommendation that EHRs use extensible markup language to ease the transfer of health information while maintaining privacy. It then will consider whether to include XML in the next round of requirements.
- An NHIN governance rule, establishing ways to confirm that health information organizations, which run health information exchanges, and others are properly using the Nationwide Health Information Network standards.
- Potential rules and regulations to carry out the recommendations of the Privacy & Security Tiger Team regarding health information exchange. The team's recommendations address such issues as obtaining patient consent for exchanging information and authentication of organizations' identities, among others.
- Guidance on "minimum necessary" standards. The HITECH Act specifies that covered entities should limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function.
Privacy of Research DataIn addition, ONC and OCR are slated to collaborate on a report addressing de-identification of protected health information for use in research. Their joint report will recommend whether the HIPAA guidelines for de-identified health information should be updated.
Under the HIPAA privacy rule "safe harbor" for de-identification, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research and certain other purposes. The two agencies are "exploring additional potential ways" to render health information unreadable, Joy Pritts, the ONC's chief privacy officer, said at a recent meeting.
In February, ONC will make available a security awareness video for healthcare organizations, Pritts said. Also in the works is a security assessment tool to help organizations perform a risk assessment, as required under HIPAA and the HITECH EHR incentive program.
And the Office for Civil Rights will offer consumers various training materials about their privacy rights, including videos, Greene added. The office also plans six "community discussions" in 2011 on electronic health records, privacy and security.