March Target for HIPAA Modifications
HHS Office for Civil Rights Clarifies Its Regulatory GoalsThe Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.
See Also: Identity Security Trailblazers - Health First
Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January "unified agenda" document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.
The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.
"OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country," McAndrew told HealthcareInfoSecurity. "OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed."
In mid-2010, OCR issued a proposed version of the HIPAA modifications, which would, among other things, require business associates to comply. An interim final version of the HIPAA breach notification rule is now in effect until the final version is released. OCR submitted a final version for review by the Office of Management and Budget in 2010 and then withdrew it (see: Final Breach Notification Rule on Hold). It's been on hold ever since.
The interim final version of the breach rule contains a controversial harm standard that enables organizations to conduct a risk assessment to determine whether a breach represents a significant risk of harm to individuals and thus merits reporting.
The January unified agenda document also lists a June target date for OCR's release of a final version of the Accounting of Disclosures Rule. The proposed version of this rule contained a controversial provision that calls for providing patients with an "access report" listing everyone who's electronically accessed their records.
In the Feb. 13 regulatory agenda, the HHS Office of the National Coordinator for Health IT announced plans to release in February proposed guidelines for Stage 2 of the HITECH electronic health record incentive program. Those guidelines are expected to include beefed-up privacy and security provisions.
OCR Budget Cuts
President Obama's proposed fiscal 2013 budget includes a 5 percent cut in spending for OCR. The HHS budget contends that "process improvements and administrative efficiencies" are enabling the office to operate on a slimmer budget (see: Budget Cut Would Hit HIPAA Enforcer).
OCR recently launched a HIPAA compliance audit program for 2012 that McAndrew acknowledges is funded by the HITECH Act, part of the economic stimulus package, and not the HHS budget. Asked whether there will be HITECH funding available for more audits after 2012, she notes, "There may be residual funds available in the following year for the evaluation step of the pilot program."
Regarding the impact of the budget cut on OCR's HIPAA enforcement activities, McAndrew says, "OCR's posture with respect to pursuing enforcement and compliance is aggressive because entities need to be aware that there are costs associated with non-compliance. It has been some time now that the HIPAA privacy and security rules have been in effect, and it should be clear to covered entities that there are penalties associated with failing to comply with the rules."