Privacy, Security Regulatory OutlookMany Healthcare Regulations Still in the Works
Among the most significant overdue regulations, all mandated under the HITECH Act, which was part of the economic stimulus package, are:
- A final version of the HIPAA breach notification rule. An interim final version has been in effect since September 2009.
- A final version of HIPAA modifications, including applying many security requirements to business associates and establishing higher penalties for non-compliance.
- A proposed version of the Accounting of Disclosures Rule, which federal authorities have suggested should include a controversial requirement to provide patients with access reports listing everyone who has accessed their electronic information.
- A proposed version of the Nationwide Health Information Network governance rule, setting guidelines for health information exchange.
- A proposed version of the guidelines for qualifying for Stage 2 of the HITECH Act's electronic health record incentive program, as well as guidelines for certifying EHR software meets Stage 2 requirements. Stage 1 requirements for meaningful use of EHRs and certification of EHR software for the incentive program are now in effect.
But as the year drew to a close, federal regulators were tight-lipped about their plans for rolling out these regulations.
Omnibus Package Delayed
Officials at the Department of Health and Human Services' Office for Civil Rights have indicated that they will eventually issue an omnibus package of regulations that includes the final version of modifications to the Health Insurance Portability and Accountability Act, the final breach notification rule as well as privacy provisions under the Genetic Information Nondiscrimination Act.
The office sent a final version of the breach rule to the Office of Management and Budget in May 2010 for review, but it was withdrawn in July and has been in limbo since then. The proposed rule for HIPAA modifications was issued in July 2010, but a final version is still pending.
The interim final version of the breach notification rule contains a controversial "harm standard" that enables healthcare organizations to conduct a risk assessment to determine whether an incident represents a significant risk of harm to patients and thus merits reporting. Some members of Congress and privacy advocates have called for removal of that provision so that virtually all breaches are reported. Others have called on regulators to at least greatly clarify the provision.
At a recent Congressional hearing, Leon Rodriguez, who took the helm at the Office for Civil Rights in September, declined to estimate when the omnibus package of regulations would be issued. In reply, Sen. Al Franken, D-Minn., who expressed strong concern about the growing number of healthcare information breaches, told him, "Well, hurry up." (See: HIPAA Updates: What's the Hold Up?).
In late December, Rodriguez' office declined to provide HealthcareInfoSecurity with a timetable for when the omnibus package of regulations would be issued.
Delays Cause Headaches>
Kari Myrold privacy officer at Hennepin County Medical Center in Minneapolis, testified before Congress that the delay in the rules makes her job more difficult.
"Without the final rules, you pretty much feel as though you're in limbo," Myrold said in an interview with HealthcareInfoSecurity. Because the rules have been further delayed, healthcare organizations have "just missed another budget cycle" to make the case for more employees or more applications to help with compliance, she added.
Further delays could hurt regulators' credibility, Myrold stressed. "I think credibility kind of gets lost when it takes longer," she said. "If it's not important to issue the final rule, then organizations might start thinking, 'Well, it's not important for us to implement that then either.'"
Lynne Thomas Gordon, the new CEO of the American Health Information Management Association, noted in a recent interview: "The impact of the delay is most severe when it comes to implementing all the technical and policy changes related to information exchange and implementation of EHR systems and practices."
Accounting of Disclosures
Because the Office for Civil Rights received hundreds of comments on its notice of proposed rulemaking for the Accounting of Disclosures Rule, many observers expect the office will spend a great deal of time reconsidering its provisions.
The most controversial element of the proposal is a requirement to provide patients with the right to obtain an access report on who has accessed electronic protected health information in a designated record set, including access for purposes of treatment, payment and healthcare operations.
AHIMA recommends that federal authorities conduct pilot projects to help determine the costs and burdens associated with creating access reports before issuing the rule (see: Access Reports: Is Revamp Inevitable?).
Other Pending Rules
The Office of the National Coordinator for Health IT, a unit of HHS, is taking a lead role in crafting the NwHIN governance rule as well as the rules for Stage 2 of the EHR incentive program.
Also on ONC's to-do list are:
- A joint report with the Federal Trade commission on privacy and security requirements for personal health records.
- Guidance on "minimum necessary" standards. The HITECH Act specifies that healthcare organizations should limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function.
- A joint report with the Office for Civil Rights on de-identification of protected health information for use in research.
"We expect the pending rules to come out on a rolling basis over the course of the first several months of 2012," an ONC spokesman told HealthcareInfoSecurity in late December, declining to provide further details.
Timing of Releases
Consumer advocate Deven McGraw of the Center for Democracy & Technology expects that the NwHIN governance rule is likely to come out next spring at about the same time as proposed rules for Stage 2 of the electronic health record incentive program.
"If those rules came out as a package, particularly if they are actually consistent in terms of the expectations that were set, that would be ideal," McGraw says.
McGraw, who co-chairs the Privacy and Security Tiger Team that's advising federal regulators, expects many of the team's recommendations, such as those regarding obtaining patient consent to exchange data, to wind up in the proposed Nationwide Health Information Network governance rule, which will provide guidelines for health information exchange
The EHR incentive rules likely also will incorporate some Tiger Team proposals, McGraw notes. For example, the team has recommended that certified EHR software provide patients with the ability to download records.