Safe & Sound with Marianne Kolbasuk McGee

End Summertime Blues: Release Regs

It's Time to Move Forward on Privacy, Security Policies

This has been a summer of uncertainty for healthcare organizations awaiting final regulations that affect their data privacy and security policies and procedures. I'm hoping that in the coming weeks, regulators will release all the pending rules and carefully coordinate the compliance deadlines so that meeting the requirements is an achievable task.

Among pending regulations that await final approval by the White House's Office of Management and Budget - the final step before publication - are:
  • Two rules for stage two of the HITECH Act's electronic health record incentive program. These include a software certification rule, spelling out standards for EHR applications, including encryption capability, and a meaningful use rule, establishing requirements that hospitals and physicians must meet to earn more incentive dollars. The requirements include conducting a risk assessment that addresses the encryption/security of data at rest.
  • A long-delayed omnibus packageof regulations. The package includes modifications to the HIPAA privacy, security and enforcement rules, as well as the breach notification rule. It also includes a measure spelling out that using genetic information for insurance underwriting purposes is a privacy violation as well as discriminatory under the Genetic Information Non-Discrimination Act. In late June, OMB said it was extending its latest review of this package.
  • A final rule that would officially push back the compliance deadline for a shift to ICD-10 claims codes to Oct. 1, 2014. This would be the latest in a long series of changes in the compliance deadline for these pending codes. While this rule doesn't directly deal with privacy issues, the codes greatly expand the level of detail contained in diagnosis and procedure codes used in medical billing, which could be vulnerable in a breach.
  • We hope the rules come out closely together. Vendors need to know what do to; providers need to know what to do. 

    ICD-10 conversion projects could wind up competing for resources that healthcare organizations could allocate to HIPAA and HITECH compliance - not to mention preparing for the rollout of healthcare reform under the Affordable Care Act.

    See Also: The Application Security Team's Framework For Upgrading Legacy Applications

    Federal officials have said they expect all the regulations to be published in the Federal Register by the end of summer. But it remains to be seen whether OMB will enable that to happen.

    Hurry Up and Wait

    Until all these regulations are finalized, healthcare organizations - and the technology vendors that serve them - are left to wonder how to proceed with compliance plans, especially because the regulations present multiple priorities to juggle, often with short deadlines, says Dan Rode, vice president of advocacy and policy at the American Health Information Management Association.

    "We hope they come out closely together. Vendors need to know what do to; providers need to know what to do," he says.

    For instance, Rode points out that the proposed Stage 2 meaningful use rule includes provisions on how to give patients access to their records. Until that rule is finalized, software vendors and providers are in limbo about how to proceed.

    While the summer months can be lazy and slow for many, it's been a time of wait and see for nervous healthcare entities awaiting important new regulations. Hopefully, the feds will release these regulations soon, giving hospitals, physicians and others ample time to comply without a lot of chaos or continued doubt.



  • About the Author

    Marianne Kolbasuk McGee

    Marianne Kolbasuk McGee

    Executive Editor, HealthcareInfoSecurity

    McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.