Office of Civil Rights (OCR) today confirmed it expects to release proposed rules regarding privacy and security provisions of HITECH, but still has not said when.
For the past couple of weeks, industry insiders have talked about an enforcement delay in HITECH provisions effective February 17 until OCR formally publishes rules regarding the provisions. OCR hadn't responded formally until today.
These provisions include:
- Business associate (BA) liability
- New limitations on the sale of personal health information, marketing, and fundraising communications
- Stronger individual rights to access electronic medical records and restrict the disclosure of certain information
"Although the effective date [February 17, 2010] for many of these HITECH Act provisions has passed, the [notice for proposed rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements," OCR wrote in the statement on its Web site.
Earlier this month, an OCR lawyer told HealthLeaders Media the HIPAA privacy and security enforcer will release a proposed rule regarding business associate provisions in HITECH "shortly."
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to HealthLeaders that OCR's rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.
OCR reminded covered entities and BAs that two interim final rules implementing HITECH provisions have already been issued and are currently in effect: enforcement and breach notification.
New civil money penalty amounts apply to HIPAA privacy and security rule violations occurring after February 17, 2001. Covered entities and BAs must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.
OCR has said it would use its "enforcement discretion" not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010.
"Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements," OCR added.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.