The Security Scrutinizer with Howard Anderson

The Wait for Some Regulations Continues

Final HIPAA Modifications, Breach Notification Rule, Still Pending

The fate of pending regulations, an upcoming HIPAA Security Rule compliance toolkit and a crackdown on records snoops were among the most popular news items on HealthcareInfoSecurity in May.

In a presentation at a conference, Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, confirmed that a batch of overdue final regulations dealing with healthcare privacy and security issues will be issued in one "omnibus" rulemaking this year. But unfortunately, she stopped short of clarifying how soon the rulemaking will be completed (see: HITECH Mandated Regs Still in Works).

The long overdue final versions of regulations, mandated under the HITECH Act, that will be included in the omnibus package are modifications to the HIPAA privacy, security and enforcement rules and the breach notification rule. Also to be included in the omnibus package are privacy provisions under the Genetic Information Nondiscrimination Act.

We're anxious to see how the final versions of the HIPAA modifications, as well as the breach notification rule, differ from the preliminary versions issued earlier. For example, an interim final version of the breach notification rule contained a controversial "harm standard," which enabled organizations to conduct a risk assessment to determine whether a security incident merits a significant risk of harm and thus merits reporting. We're hoping to see that provision greatly clarified.

Meanwhile, on May 27, OCR issued a detailed notice of proposed rulemaking that sets out guidelines for how patients must be provided with an accounting of who has viewed their protected health information (see: HITECH Disclosures Rule Proposed).

Also in May, officials at the National Institute of Standards and Technology announced they hope to unveil a free HIPAA Security Rule Toolkit by December to help healthcare organizations achieve compliance (see: NIST Prepares HIPAA Security Toolkit). The kit will be updated, as necessary, in light of the pending modifications to the security rule, NIST officials said.

A demonstration of a kit prototype looked very promising. It included about 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve. The free HIPAA Security toolkit could prove extremely helpful in achieving compliance if it lives up to its promise.

Another story that grabbed readers' attentions in May described how Allina Hospitals and Clinics fired 32 employees for looking at the electronic health records of patients involved in a recent mass drug overdose case without a legitimate professional reason to do so. It was a gutsy move that demonstrated the organization's commitment to enforcing its privacy policies. And it provided valuable food for thought to other hospitals and clinics: What would you do if a group of valuable employees broke the rules?

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.