Delay of HIPAA privacy, security rules almost over

By Mary Mosquera
03:08 PM

The long-awaited final rule that will strengthen HIPAA privacy and security safeguards to better protect electronic health information will be released by the end of the year, according to a senior health privacy official.

The final omnibus rule will take effect as healthcare providers begin to exchange health information and more organizations are involved in helping to transmit sensitive data.

[See also: Is the ONC's Health IT Plan realistic? Readers are divided.]

The regulation will combine the final version in an omnibus rule of security-related updates to the Health Insurance Portability and Accountability Act (HIPAA), said Sue McAndrew, deputy director for health information privacy at the Office of Civil Rights in the Health and Human Services Department. OCR is charged with overseeing and enforcing HIPAA.

She said OCR was “quite far along” and she anticipated the rule “certainly by the end of the year. Or one of us will be out the door by the end of the year, and I hope it’s the reg,” she said in jest, at a May 10 HIPAA conference, sponsored by OCR and the National Institute of Standards and Technology. “I really am hoping that we are now targeting months, if not weeks, for the publication,” she added.

The regulation will include the final versions of rules proposed to provide for data breach notification released in August 2009; to strengthen HIPAA enforcement released in October 2009; as well as a slew of other privacy and security protections, released in July 2010, that were called for in the 2009 HITECH Act. 

As part of the final rule, business associates, which supply services and activities on behalf of healthcare providers and health plans, will be obligated to comply with HIPAA, and they will be responsible for their subcontractors following it also, McAndrew said.

OCR will also strengthen enforcement with increased civil money penalties and new requirements for electronic access by patients of their information.

“We need to make sure that consumers have confidence that their electronic data is safeguarded and that organizations are meeting the highest practices for custody and control,” she said.

OCR decided to combine the final versions to incorporate as much of the activity as would be needed so providers, plans and businesses would have to change their systems, forms and notices just once, McAndrew said.

In addition to the omnibus rule, OCR is working on a proposed rule for the accounting of disclosures from electronic records, also called for by HITECH. It will include a right for the individual to receive an accounting of those who have accessed the individual’s health information and the number of times.

Although the timing will be close, McAndrew said OCR would not be able “to synch it up” with the omnibus rule and it will be issued separately.