HITECH Mandated Regs Still in WorksHIPAA Modifications Among Rules to Come in a Batch
McAndrew said Tuesday at a conference in Washington that the final version of a set of pending regulations would be issued within months if not weeks. OCR is issuing them in a batch so that organizations can make all the necessary adjustments for compliance at one time, she explained.
The omnibus package will include:
- HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
- The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
- Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.
Accounting for DisclosuresIn an interview after her presentation, McAndrew said a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records "probably" would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule.
The HITECH Act called for a rule outlining how to provide patients with an accounting of the disclosure of electronic records to those outside the organization that created the records. But McAndrew acknowledged that writing the rule is challenging, because of the gray areas involved.
"In some hospitals, where many of the practicing physicians really are not part of the hospital entity itself, technically what would seem to be a 'use' of the hospital's electronic health record is actually a 'disclosure' to the physician," she told HealthcareInfoSecurity. "So that's one of the issues that's being dealt with."
Meanwhile, OCR is working closely with the HHS Office of the National Coordinator for Health Information Technology to determine whether additional rules, or guidance about compliance with existing rules, are needed to ensure health information remains secure, McAndrew said. In some cases, regulators will need to "find new ways to protect against new vulnerabilities," she added.
Her comments came at a conference, "Safeguarding Health Information: Building Assurance Through HIPAA Security," co-sponsored by OCR and the National Institute of Standards and Technology.