Breaking: HHS releases final rule on HITECH Act provisions

Posted on January 17, 2013 by Steve Fox and Vadim Schick

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

 

  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , , ,

OCR to release final breach notification rule in March

Posted on February 16, 2012 by Steve Fox and Vadim Schick

Via Healthcare Info Security:

The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.

The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'

In mid-2010, OCR issued a proposed version of the HIPAA modifications, which would, among other things, require business associates to comply. An interim final version of the HIPAA breach notification rule is now in effect until the final version is released. OCR submitted a final version for review by the Office of Management and Budget in 2010 and then withdrew it (see: Final Breach Notification Rule on Hold). It's been on hold ever since.

The interim final version of the breach rule contains a controversial harm standard that enables organizations to conduct a risk assessment to determine whether a breach represents a significant risk of harm to individuals and thus merits reporting.

"March Target for HIPAA Modifications," Healthcare Info Security (February 15, 2012).

 
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , ,