On March 24, 2012, the Office for Civil Rights (OCR) sent Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) final rules to the White House Office of Management and Budget (OMB) for review. The OMB review can take as long as 90 days, so some of the uncertainties surrounding HIPAA/HITECH compliance should begin to clear up by late June.
The HITECH Act was signed into law in 2009, requiring implementing regulations to be developed by OCR for several key provisions, including:
- The breach notification rule; an interim breach notification rule was released in August 2009, and a previous final rule was sent to OMB in May 2010 but subsequently withdrawn;
- The final HIPAA enforcement rule, implementing increased penalty levels; an interim rule was released in October 2009;
- The final rule implementing HITECH Act changes to the HIPAA privacy and security standards, which make business associates directly liable and responsible for security rule compliance; a notice of proposed rulemaking (NPRM) was released in July 2010; and
- The final rule implementing the Genetic Information Nondiscrimination Act of 2008’s changes to HIPAA’s privacy rule; a proposed rule was released in October 2009.
Interestingly, another controversial rule—addressing HITECH’s expanded requirements for accounting for disclosures—was not included in the final rules sent to OMB on March 24, 2012. The NPRM on accounting for disclosures, published in May 2011, is intended to implement the HITECH requirement that covered entities keep an accounting of disclosures, including those made to carry out treatment, payment and healthcare operations where disclosures are through an electronic health record, and to provide individuals with access to such reports.
OCR Deputy Director for Health Information Privacy Susan McAndrew, speaking earlier in March at the 20th National HIPAA Summit in Washington DC, stated that combining and issuing these four rules simultaneously should reduce the overall compliance burden by synchronizing compliance schedules and reducing the number of times covered entities will be required to amend their notices of privacy practices and business associate agreements.
Among the questions expected to be answered by the omnibus final rules is whether the controversial subjective assessment provision will remain in the breach notification rule. In the interim final rule for breach notification, covered entities are allowed to assess the likelihood of financial or reputational harm and potentially avoid notifying individuals of breaches. Consumer privacy advocates and some in Congress have been highly critical of this provision, espousing the view that individuals should always know when their information has been accessed or disclosed.
Additionally, the final rule is expected to establish whether subcontractors of business associates who access protected health information will also be required to comply with the privacy and security rule in the same manner as business associates, and the extent which such “downstream” business associates will themselves incur direct liability for non-compliance.
Another issue expected to be settled by the final rules is whether a covered entity will be liable for actions of its business associates. Under current law, a covered entity will not be liable if the relevant business associate contract requirements have been met, the covered entity did not know of a violation, or did not fail to act as required by the rules once the business associate’s violation is known. The proposed rule removes these protections, expanding the liability of covered entities for acts of their agents. If this approach is finalized, covered entities may choose to implement audit programs of their business associates and of their downstream contractors as well. Notably, the Department of Health and Human Services reports that business associates have been responsible for 62 percent of the total number of patient records breached.