McAndrew: HIPAA/HITECH final rules shipped off to OMB

HCPRO Website, March 26, 2012

OCR made the final step before publishing final rules on HIPAA/HITECH, sending its rules to the Office of Management & Budget (OMB) March 24 for a review.

Once OMB completes the review — which can last up to 90 — the rules will be published. OCR packaged four rules into one under the title, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules”:

The final rules will include:

  • Modifications to the HIPAA Privacy and Security Rules (namely making business associates and subcontractors liable and responsible for security-rule compliance and the use and disclosures provision of the privacy rule)
  • Enforcement (new penalty levels)
  • Breach notification
  • Modifications of the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008

Each rule is required by HITECH, signed into law in 2009 and enhancing privacy and security protections and enforcement.

Susan McAndrew, OCR’s deputy director for health information privacy, said at the 20th HIPAA Summit March 26 at the Renaissance Hotel in Washington, DC, that OCR will also publish guidance on business associate contracts, de-identification, and conducting risk assessments to determine breaches.

The latter promised guidance — assessing breaches — suggests OCR kept in a controversial provision of the interim final rule on breach notification: the harm threshold assessment. This threshold allows entities to conduct their own risk assessments on breaches and potentially avoid notifying individuals of breaches. If the breach is considered to have no financial or reputational harm, then entities don’t have to notify patients.

Many in the industry — and particularly some Congressmen — called for the harm threshold to be removed because patients should always know when their information may have been breached.

Asked by HCPro, Inc. in the online question forum March 26, McAndrews would not say whether the “harm threshold” is included in the final breach rule. She did say it will be a sub-component of a larger risk assessment.

“There is still going to be  a need to conduct a risk assessment on whether it’s a technical breach defined by the statute,” McAndrew said. “Has it compromised the privacy and security of the information? That assessment still needs to be done.”

As for the accounting of disclosures proposed rule, McAndrew said that was not part of the final rules sent to the OMB for review March 24.

Most Popular