Long-awaited HIPAA Omnibus Rule may be released soon

“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.

It is reasonable to expect the Office of Management and Budget (OMB) to release the final OMNIBUS regulations as soon as late January or early February based on the fact that the OMB has had the rule for almost a year to perform a perfunctory final review. The Department for Health and Human Services (HHS) released the Rule to OMB for review, one of the last steps before publication in the Federal Register, on March 24, 2012. OMB had the standard 90-day period to perform its review, but requested an extension. Some have speculated that the pending election last year may have played a part in delaying the Rule.

The Modern Healthcare’s IT Everything blog also posted recently that “in February, there is a HIPAA summit mid-month” that “calls for regulators to give a talk on the final rule.” Read more here.

The much-anticipated HIPAA Rule is expected to contain implementing regulations for the following aspects of the HITECH Act: 1) data breach enforcement and penalty levels; 2) data breach notification requirements; 3) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; 4) use of genetic information by health plans; 5) use of patient health information (PHI) for marketing and fundraising. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule. The final Rule will not address the proposed change to the HIPAA Privacy Rule’s standard on accounting for disclosures (i.e., access by whom, when and for what purpose), a controversial proposal that was complex, burdensome and potentially very costly.

We also have heard that a notice of proposed rulemaking would be out in March proposing a methodology by which people harmed by a HIPAA violation could share in any settlement or civil monetary penalty.

Stay tuned . . .

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.