OCR will release proposed rules later this month on most of the HIPAA privacy and security-related provisions in HITECH, according to a consultant who attended the North Carolina Healthcare Information and Communications Alliance (NCHICA) annual conference this month.
After its sixth annual Academic Medical Center Conference in Chapel Hill, NC, Phyllis A. Patrick, MBA, FACHE, CHC, co-founder & managing director of AP Health Care Compliance Group, sent an e-mail obtained by HealthLeaders Media that reported the HITECH regulations would be released in "about two weeks or around June 26th."
The information reportedly came from the session, "Meaningful Privacy and Security." In the e-mail, Patrick says the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule.
The NPRM will also include clarification regarding “willful neglect” (penalty tiers). Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.
Patrick also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.
OCR is expected to begin its HITECH-required compliance audits next year, Patrick reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.
“Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the “Quiz the Regulator” session on June 7.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.