The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.
Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.
The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.
'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'
In mid-2010, OCR issued a proposed version of the HIPAA modifications, which would, among other things, require business associates to comply. An interim final version of the HIPAA breach notification rule is now in effect until the final version is released. OCR submitted a final version for review by the Office of Management and Budget in 2010 and then withdrew it (see: Final Breach Notification Rule on Hold). It's been on hold ever since.
The interim final version of the breach rule contains a controversial harm standard that enables organizations to conduct a risk assessment to determine whether a breach represents a significant risk of harm to individuals and thus merits reporting.
"March Target for HIPAA Modifications," Healthcare Info Security (February 15, 2012).