HIPAA, HITECH Updates Inch CloserHIPAA Modifications, HITECH Stage 2 Rules Expected Soon
Final versions of several pending federal healthcare regulations that deal, in part, with privacy and security issues likely will be published by the end of summer, federal authorities say. These include the long-delayed modifications to HIPAA plus rules for the next phase of the HITECH Act electronic health record incentive program.
The modifications to HIPAA are included in an omnibus package of regulations that also includes a final version of the HIPAA breach notification rule plus a measure spelling out that using genetic information for insurance underwriting purposes is a privacy violation as well as discriminatory under the Genetic Information Non-Discrimination Act.
Farzad Mostashari, who heads the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, said in a recent speech that the package would be published by summer's end. A spokesman for the HHS' Office for Civil Rights, the HHS unit handling the omnibus package, said the package "is extremely close to publication," but declined to predict when it would be published in the Federal Register.
The proposed version of the modifications to HIPAA, unveiled in July 2010, would, among other things, require that business associates and their subcontractors must comply.
An interim final version of the HIPAA breach notification rule has been in effect since September 2009. Federal officials have said the final version of the rule will clarify guidelines for when a breach must be reported (see: HIPAA Modifications: What to Expect).
HHS submitted the omnibus package for review by the White House Office of Management and Budget on March 24, the final step before publication.
Rules for Stage 2 of the HITECH electronic health record incentive program also are expected to be published by the end of summer, a spokesman for Mostashari's office says. These include a rule defining the "meaningful use" requirements for hospitals and physicians earning incentives and a software certification rule creating standards for the EHR software that qualifies for the program.
The proposed Stage 2 meaningful use rule would require hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."
The proposed Stage 2 software certification rule includes a provision that the software needs to be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where the EHR technology manages the data flow on the device.
HIE Standards Pending
Meanwhile, authorities will accept comments through June 29 on preliminary plans for voluntary national standards, including privacy and security guidelines, for health information exchanges. A proposed version of the Nationwide Health Information Network Governance Rule is likely still months away from publication.
And Mostashari's office has announced a Blue Button Mash Up challenge. The contest is designed to identify ways to combine the Blue Button approach to enabling patients to securely download portions of their records with other ways to access data to help patients make better decisions.