Proposed HIPAA Privacy Rule regulations could be published in the Federal Register within the next 120 days after the Department of Health & Human Services (HHS) sent for review this week regulations per HITECH requirements to the Office of Information and Regulatory Affairs (OIRA), according to privacy and security experts.
Asked when it believes rules will be public, the Office for Civil Rights (OCR), which oversees enforcement of the HIPAA privacy and security rules, wrote in an e-mail to HealthLeaders Wednesday, "HHS cannot predict the OMB timeline."
John R. Christiansen of Christiansen IT Law in Seattle says he expects to see it made public some time between the end of this week (not likely, he says) and the end of the summer.
OIRA has 90 days to review the regulations, though the head of the submitting agency can extend that time and OIRA may request a one-time 30-day extension, says Jana Aagaard of the Law Office of Jana Aagaard in Carmichael, CA.
OCR in March confirmed it expected to release proposed rules regarding privacy and security provisions of HITECH, but it did not say when.
The industry has been waiting on rules from OCR concerning HITECH provisions effective February 17.
These provisions include:
- Business associate (BA) liability
- New limitations on the sale of personal health information, marketing, and fundraising communications
- Stronger individual rights to access electronic medical records and restrict the disclosure of certain information
"Although the effective date [February 17, 2010] for many of these HITECH Act provisions has passed, the [notice for proposed rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements," OCR wrote in a statement on its Web site.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.