Sorting Out Security RegulationsUpdates on Timing, Content of Privacy, Security Regulations
Final versions of the modifications to the HIPAA privacy, security and enforcement rules, as well as the HITECH Act breach notification rule are now slated for release in the third or fourth quarter, according to Gallagher. The senior director of privacy and security at the Healthcare Information and Management Systems Society provided the update at the HIMSS Conference's privacy and security workshop Feb. 20 in Orlando.
Late last year, in its semi-annual regulatory agenda, the Department of Health and Human Services had indicated it planned to issue the final HIPAA modifications in March of 2011. That timeline, however, appears to have been altered.
But a notice of proposed rulemaking on how to provide patients with an accounting of disclosures of information in electronic health records to those outside the organization that created the records is now slated for release in March, Gallagher noted.
Meanwhile, the timing of the launch of a HITECH-mandated HIPAA compliance audit program has yet to be determined, she added. "I honestly don't think we'll see it before the summer," she said, pointing out that the details of the audit program have yet to be worked out by the HHS Office for Civil Rights.
Tiger Team RecommendationsA Privacy and Security Tiger Team has been issuing recommendations on a number of issues in recent months. Those recommendations are most likely to be included in a Nationwide Health Information Network governance rule slated for release this fall, Deven McGraw, co-chair of the team, told workshop attendees (See: Tiger Team's Deven McGraw on Next Steps).
The NHIN governance rule will spell out guidelines for those voluntarily using the NHIN standards, such as to ease the transfer of data among various health information exchanges.
In an interview with HealthcareInfoSecurity.com, McGraw said she'd also like to see the tiger team's recommendations on gaining patient consent for exchanging health information, and other privacy and security issues, also included as part of the HIPAA modifications as well as the guidelines for future stages of the HITECH electronic health record incentive program.
The first draft of guidelines for stages two and three of the EHR incentive program contain no new privacy or security provisions. Regulators are soliciting comments on the proposed EHR "meaningful use" guidelines through Feb. 25. McGraw urged workshop attendees to comment on the draft and point out what provisions they'd like to see added.
Breach Notification RuleThe Department of Health and Human Services withdrew its proposed final version of the breach notification rule last year. Many observers concluded that the office was reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident merits a significant risk of harm and thus merits reporting.
But Gallagher said it's unclear whether the final version of the breach notification rule will include substantial alterations in the harm standard. She said HHS officials "seem to like" the harm standard, which has been criticized by consumer advocates and some member of Congress. HHS has concerns about creating "notification fatigue" if all breaches, even those with minimum risk of harm, must be reported, she said. If too many breach notices are issued, consumers might pay less attention to them all because of notification fatigue, or so the theory goes.
While they await all the final rules and regulations, Gallagher said healthcare organizations should take several steps, including:
- Establish a breach notification process;
- Perform a risk analysis on their EHR system;
- Conduct evaluations of their privacy and security programs in preparation for the looming HIPAA compliance audits;
- Prepare to comply with the EHR incentive program's requirement to provide patients with timely and secure access to electronic copies of their records.