2013 Healthcare Regulatory OutlookOverdue HIPAA Modifications Top the List
Also pending is an accounting of disclosures rule that, in early draft form, called for providing patients, upon request, with reports listing everyone who accessed their electronic health information. Plus, rules for Stage 3 of the HITECH Act electronic health record incentive program, which begins in 2016, are in development.
Leon Rodriguez, director of the Office for Civil Rights, the unit of the Department of Health and Human Services responsible for crafting the omnibus package, said in an early December interview with HealthcareInfoSecurity, "We're hopeful that we'll be in a position to issue it soon." The Office of Management and Budget has been reviewing the regulations since March. OMB review is the final step before a regulation is published.
As proposed, the HIPAA omnibus package includes:
- A final version of the HIPAA breach notification rule. An interim final version has been in effect since September 2009. OCR officials have indicated the final version will include more guidance on when a breach has to be reported.
- Extensive HIPAA modifications, including changes to the privacy, security and enforcement rules. Among the changes: Applying many security requirements to business associates and their subcontractors.
- A rule spelling out that using genetic information for insurance underwriting purposes is a privacy violation, as well as discriminatory, under the Genetic Information Non-Discrimination Act.
Accounting of Disclosures
Another much anticipated regulation is the accounting of disclosures rule. A notice of proposed rulemaking included a controversial requirement to provide patients, upon request, with reports listing everyone who accessed their electronic health information.
Regarding the access reports, health data security and privacy attorney Lisa Sotto said in a recent interview with HealthcareInfoSecurity, "It's complex and confusing and would impose a substantial, costly technological burden on covered entities." Sotto is managing partner of the New York office of Hunton & Williams LLP
OCR's Rodiguez said in early December that his agency is still evaluating a large volume of comments received on the proposed rule, but he gave no timeline on when the regulation would be finalized.
HITECH Stage 3
In addition to the omnibus package and accounting of disclosure rules from OCR, next year will see continued development of rules spelling out requirements for Stage 3 of the HITECH Act electronic health record incentive program. The Office of the National Coordinator for Health IT, which is also a unit of the Department of Health and Human Services, is developing the rules.
For Stage 3, ONC will publish an updated meaningful use rule, spelling out requirements for how hospitals and physicians must use EHRs to earn additional incentives, as well as a software certification rule, outlining the required functions of EHR software that qualifies for the program.
"We have not yet laid out a timeline for Stage 3 in term of publication dates for proposed or final rules," says an ONC spokesman. "We expect to propose the rule next winter - in the end of 2013 - and the final rule in the summer of 2014."
Federal advisers are collecting public feedback through January 14 on a request for comment on preliminary recommendations from the HIT Policy Committee for Stage 3 requirements (see: Feedback on HITECH Stage 3 Rule Sought.)
Among the preliminary privacy and security Stage 3 recommendations for which ONC is seeking comment is a proposal that healthcare providers attest to implementing HIPAA Security Rule provisions regarding staff training.
Other Pending Regulations
Former OCR official Adam Greene, a partner at the law firm Davis Wright Tremaine LLC, advises healthcare organizations to be on the lookout for other potential regulations in 2013, including:
- Rules for distributing HIPAA settlements and penalties to harmed individuals. "I'm not optimistic that we will see those in 2013, but they could have a potentially large impact by incentivizing individuals to complain to HHS based on the prospect, however remote, that their complaint will lead to a settlement or fine for which they receive a percentage," he says. The regulations could also result in setting precedent as to who is a "harmed individual" with respect to privacy, which could be adopted by states in considering privacy class action suits, he says.
- Regulations finalizing changes to the Clinical Laboratory Improvement Amendments and HIPAA. These changes would provide individuals with the right to obtain their lab results directly from labs, rather than having to go through their physicians. "Right now, the right to receive lab results directly from the lab differs from state to state. By making the law uniform, it will provide greater flexibility to labs to directly send lab results to patients electronically," Greene says.
- Proposed regulations on human subject research protections. A notice of proposed rulemaking was issued this year. Next up would be a proposed rule. "The rules, when finalized, may change the privacy and security obligations pertaining to human subject research, potentially creating HIPAA-like privacy and security requirements for such research," he says.
In addition to those regulations, Sotto also predicts that several states could change their privacy and security regulations in the year ahead. Texas enacted privacy laws in September that are broader than HIPAA, she notes.