The Security Scrutinizer with Howard Anderson

Waiting for HIPAA Rules, Guidance

Regulators Pressed to Issue Regulations and Advice

An omnibus package of regulations including the two overdue final rules is in the works and will be released soon, officials at the Department of Health and Human Services' Office for Civil Rights say. How soon remains unclear.

See Also: What is next-generation AML?

The long delay in releasing the final rules, mandated under the HITECH Act, is making it difficult for organizations to make appropriate decisions, says Lynne Thomas Gordon, the new CEO of the American Health Information Management Association. "The impact of the delay is most severe when it comes to implementing all the technical and policy changes related to information exchange and implementation of EHR systems and practices," she says.

Let's hope federal regulators make a New Year's resolution to issue overdue rules - and detailed compliance guidance - early in 2012. 

AHIMA members, who include health information managers involved in automating records, are particularly concerned that IT vendors will not be able to provide timely compliance assistance if the pending rules "create a significant requirement for systems changes that overlap or conflict with the [HITECH Act electronic health record incentive program's] meaningful use requirements," Thomas Gordon says.

Kari Myrold, privacy officer at Hennepin County Medical Center in Minneapolis, recently testified before Congress about the issue. She said in a recent interview: "Without the final rules, you pretty much feel as though you're in limbo."

In addition to releasing the long overdue rules, Myrold would like to see HHS issue much more detailed HIPAA compliance guidance, including model policies and procedures. And a federal advisory group agrees.

The Health IT Policy Committee is urging HHS to make a concerted effort to provide much more guidance on security issues. In a recently approved recommendation, the committee said HHS should "have a consistent and dynamic process for updating security policies and for the rapid dissemination of new rules and guidance."

New HIPAA Guidance

In the meantime, there's a bit of good news about federal guidance on security issues.

The Office of the National Coordinator for Health IT, a unit of HHS, is working on simplified guidance on how to conduct a HIPAA-mandated risk assessment. Designed for smaller hospitals and clinics, the guidance will be written for those who lack information technology expertise.

In addition, the National Institute of Standards and Technology has prepared a free HIPAA Security Rule Toolkit designed to help healthcare organizations conduct a thorough risk assessment.

Let's hope federal regulators make a New Year's resolution to issue overdue rules - and detailed compliance guidance - early in 2012.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.