The release of final rules on HIPAA and HITECH, promised to be published by HHS’s Office of Civil Rights (OCR) in 2011, now look to be further away than we thought.
On October 25, OCR’s Deputy Director for Health Information Privacy, Susan McAndrew, told the audience at the Workgroup for Electronic Data Interchange conference that, “We are wrapping up on the omnibus final rule and I am hoping to have it sometime soon.”
The new rule, which will finalize many changes to HIPAA, was widely expected to be released sooner. The proposed rule was released in July 2010 and, a few months later, OCR said it would be finalized in the Spring of 2011. After missing that deadline, OCR said that the date had been pushed to the end of 2011. Now, McAndrew says it could be extended again, to early 2012. (Readers may recall, however, that the Final Rule released in 2000 was released on December 28 of that year, so don’t rule out a last-minute 2011 release.)
The omnibus rule should finalize four previous proposed and interim final rules, covering:
- breach notification
- HIPAA enforcement
- HIPAA Privacy Rule and Security Rule changes mandated by the HITECH Act
- HIPAA changes required by the Genetic Information Nondiscrimination Act (GINA)
Typically, covered entities have 180 days from a rule's effective date to comply.
OCR also reported receiving 435 public comments about its proposed rule for accounting of disclosures of PHI,
which allows patients to request information about who has accessed their personal health information in electronic form, in addition to requesting a full accounting of disclosures. McAndrew said that comments on the proposed rule indicate that the health care industry “has not embraced the access report provision.”