The Wait for Some Regulations ContinuesFinal HIPAA Modifications, Breach Notification Rule, Still Pending
In a presentation at a conference, Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, confirmed that a batch of overdue final regulations dealing with healthcare privacy and security issues will be issued in one "omnibus" rulemaking this year. But unfortunately, she stopped short of clarifying how soon the rulemaking will be completed (see: HITECH Mandated Regs Still in Works).
The long overdue final versions of regulations, mandated under the HITECH Act, that will be included in the omnibus package are modifications to the HIPAA privacy, security and enforcement rules and the breach notification rule. Also to be included in the omnibus package are privacy provisions under the Genetic Information Nondiscrimination Act.
The free HIPAA Security toolkit could prove extremely helpful in achieving compliance if it lives up to its promise.
We're anxious to see how the final versions of the HIPAA modifications, as well as the breach notification rule, differ from the preliminary versions issued earlier. For example, an interim final version of the breach notification rule contained a controversial "harm standard," which enabled organizations to conduct a risk assessment to determine whether a security incident merits a significant risk of harm and thus merits reporting. We're hoping to see that provision greatly clarified.
Meanwhile, on May 27, OCR issued a detailed notice of proposed rulemaking that sets out guidelines for how patients must be provided with an accounting of who has viewed their protected health information (see: HITECH Disclosures Rule Proposed).
Also in May, officials at the National Institute of Standards and Technology announced they hope to unveil a free HIPAA Security Rule Toolkit by December to help healthcare organizations achieve compliance (see: NIST Prepares HIPAA Security Toolkit). The kit will be updated, as necessary, in light of the pending modifications to the security rule, NIST officials said.
A demonstration of a kit prototype looked very promising. It included about 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve. The free HIPAA Security toolkit could prove extremely helpful in achieving compliance if it lives up to its promise.
Another story that grabbed readers' attentions in May described how Allina Hospitals and Clinics fired 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case without a legitimate professional reason to do so. It was a gutsy move that demonstrated the organization's commitment to enforcing its privacy policies. And it provided valuable food for thought to other hospitals and clinics: What would you do if a group of valuable employees broke the rules?