Skip to main content

HIPAA, HITECH Final Rules Expected by Early 2011

 |  By dnicastro@hcpro.com  
   October 25, 2010

HIPAA and HITECH final rules could be published by the end of this year or early next year, a top lawyer for the Office for Civil Rights (OCR) says.

Adam H. Greene, JD, MPH, senior health information technology and privacy specialist for OCR, gave that prediction during the Fourth Annual HIPAA Summit West: Healthcare Privacy and Security after HITECH and Health Reform on October 4.

Though Greene would not guarantee that estimate, HIPAA privacy and security officers may be wise to listen to him. This past summer, Greene accurately said he expected a proposed rule on changes to the HIPAA privacy, security and enforcement rules to be released around July 8.

That's exactly when the display copy of the rule hit the streets; it was published in the Federal Register July 14.

Covered entities and business associates also await OCR's final rule on breach notification. The rule was sent to the Office of Management and Budget (OMB) for review but was later withdrawn for further review, OCR announced on its website July 28.

Attendees at the HIPAA Summit earlier this month discussed the breach notification rule and whether or not OCR will lift its "harm threshold" written into the interim final rule. If covered entities determine, after a risk analysis, that a breach would not cause a patient significant financial or reputational harm, breach notification is not mandatory.

Supporters say the harm threshold works because it eliminates endless breach notification reports for "harmless" incidents (i.e., patient information faxed to the wrong department within a hospital).

But opponents, including some members of Congress, want the harm threshold removed because they say it weakens privacy controls and may let entities off the hook for committing breaches.

Also on OCR's plate is its "periodic audit" plan that must be rolled out in accordance with HITECH. There is no timetable or details on the audit plan yet, though OCR did tell HealthLeaders Media in May it hired Booz Allen Hamilton to help build its HITECH-required HIPAA auditing plan.

Then, OCR said it is "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement."

Asked again this month about the status of the audit plan, OCR essentially said it is not ready to release the plan.

"Pursuant to Section 13411 of HITECH,OCR is in the process of developing a program to conduct periodic audits to ensure that covered entities and business associates comply with HIPAA Privacy and Security Rule requirements," Rachel Seeger, MPA, MA, senior health information privacy outreach specialist for OCR, wrote in an e-mail to HealthLeaders. "At this time, audit report is pre-decisional and not available publicly. OCR does not have a timetable for implementation."

 

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.