End Summertime Blues: Release RegsIt's Time to Move Forward on Privacy, Security Policies
This has been a summer of uncertainty for healthcare organizations awaiting final regulations that affect their data privacy and security policies and procedures. I'm hoping that in the coming weeks, regulators will release all the pending rules and carefully coordinate the compliance deadlines so that meeting the requirements is an achievable task.Among pending regulations that await final approval by the White House's Office of Management and Budget - the final step before publication - are:
- Two rules for stage two of the HITECH Act's electronic health record incentive program. These include a software certification rule, spelling out standards for EHR applications, including encryption capability, and a meaningful use rule, establishing requirements that hospitals and physicians must meet to earn more incentive dollars. The requirements include conducting a risk assessment that addresses the encryption/security of data at rest.
- A long-delayed omnibus packageof regulations. The package includes modifications to the HIPAA privacy, security and enforcement rules, as well as the breach notification rule. It also includes a measure spelling out that using genetic information for insurance underwriting purposes is a privacy violation as well as discriminatory under the Genetic Information Non-Discrimination Act. In late June, OMB said it was extending its latest review of this package.
We hope the rules come out closely together. Vendors need to know what do to; providers need to know what to do.
ICD-10 conversion projects could wind up competing for resources that healthcare organizations could allocate to HIPAA and HITECH compliance - not to mention preparing for the rollout of healthcare reform under the Affordable Care Act.
Federal officials have said they expect all the regulations to be published in the Federal Register by the end of summer. But it remains to be seen whether OMB will enable that to happen.
Hurry Up and Wait
Until all these regulations are finalized, healthcare organizations - and the technology vendors that serve them - are left to wonder how to proceed with compliance plans, especially because the regulations present multiple priorities to juggle, often with short deadlines, says Dan Rode, vice president of advocacy and policy at the American Health Information Management Association.
"We hope they come out closely together. Vendors need to know what do to; providers need to know what to do," he says.
For instance, Rode points out that the proposed Stage 2 meaningful use rule includes provisions on how to give patients access to their records. Until that rule is finalized, software vendors and providers are in limbo about how to proceed.
While the summer months can be lazy and slow for many, it's been a time of wait and see for nervous healthcare entities awaiting important new regulations. Hopefully, the feds will release these regulations soon, giving hospitals, physicians and others ample time to comply without a lot of chaos or continued doubt.