The Office for Civil Rights (OCR) in all likelihood will publish a draft or interim final rule outlining the new requirements for composing and updating business associate (BA) contracts in February, the same month BAs must comply with HIPAA's security rule, one HIPAA expert tells HealthLeaders Media.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, and also a board member of the Workgroup for Electronic Data Interchange (WEDI), spoke with an HHS official at WEDI's 2009 Fall Conference in Baltimore earlier this month.
Apgar says HHS, which oversees OCR, is in the "process of trying to put out a fair number of rules, from what does a BA contract need to contain to the 'meaningful use' definition [on EHRs] as well as look at plans to help the healthcare industry prepare for ICD-10 conversion, and the implementation of the HIPAA 5010 transaction and code sets."
Covered entities must update their contracts with BAs by February 17, 2010, the statutory compliance date in the American Recovery and Reinvestment Act (ARRA).
The government also hopes to synchronize Medicare and Medicaid rules for reimbursement incentives for "meaningful users" of EHRs. The draft rule on the definition of meaningful use is due by December 31, 2009.
The WEDI conference included a focus on the Health Information Technology for Economic and Clinical Health Act (HITECH), which is a part of ARRA, funding, and breach notification.
While OCR may publish rules on BA contracts in February, Apgar says covered entities should not wait until then to update their BA contracts.
"That's the thing that needs to be emphasized—you can't wait until the rules are final," Apgar says. "If you're waiting, my advice is don't because the statutory deadline is February 17, 2010."
As for enforcement, Congress promised in ARRA "periodic audits" to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren't sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.
"If you've got a headline [because of a major breach], they're likely going to come and investigate you," Apgar says. "But they're wavering on how they will conduct compliance audits. Not because they're not going to do it, but because they don't know when yet. The House version of the healthcare reform bill calls for more strict enforcement than ARRA, so they want to wait to see what comes out in healthcare reform."
Apgar adds the government can fine up to $50,000 for one HIPAA violation and a maximum of $1.5 million for the same type of violation per calendar year—regardless of the severity of the breach.