On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.
The much-anticipated HIPAA Rule contains implementing regulations for five aspects of the Act: 1) enforcement (new penalty levels); 2) breach notification; 3) use of genetic information by health plans; 4) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; and 5) use of patient health information (PHI) for marketing. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule.
HHS released the Rule to OMB on March 24, 2012, and OMB had the standard 90-day period to perform its review. OMB gave no indication whether the HIPAA Rule was delayed for a one-time 30-day extension by the Director of OMB, or whether the head of HHS requested an indefinite delay, both of which are permitted under federal rulemaking procedures. But everyone who is waiting to learn what further revisions will be required to many of their compliance practices will have to sweat it out a little longer.
The General Accounting Office (GAO) is waiting patiently, however. For its part, on June 22, the same day that OMB’s delay was announced, the GAO issued a 40-page report calling for HHS to complete several tasks it has under HIPAA. Acting pursuant to a separate statutory mandate, GAO reported that HHS, thus far, has neglected to issue required implementation guidance regarding de-identifying PHI when it is used for purposes other than directly providing clinical care to an individual. In particular, GAO focused on the privacy and security of Medicare beneficiaries’ prescription drug use information. Much of the drug prescribing and filling process now relies on electronic collection of an individual’s PHI and the exchange of such PHI among necessary providers. This process enhances efficiency and accuracy, certainly, but creates new privacy and security risks. Until HHS issues guidance for de-identification of such data, GAO believes there is a risk that covered entities are not properly implementing the federal standards in this regard.
Further, while HHS has started a pilot program to implement periodic compliance audits for covered entities, it has announced no plans for an ongoing audit program, as required by HIPAA. It also hasn’t begun to conduct audits of business associates of covered entities. GAO points out that until such audits are established on an ongoing basis, OCR will have limited assurance of PHI privacy and security. The read the report, click here.
So while the health care industry waits even longer to learn from HHS what procedures and protections it must have in place under HIPAA, and when, the GAO is prodding its sibling to move faster. The summer heat is increasing for us all!
This article was prepared by Ann Feldkamp Triebsch, Esq., of Wyatt, Tarrant & Combs, LLP