On June 7, 2012, Leon Rodriguez, the director of the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) stated, at a conference sponsored by HHS and the National Institute of Standards and Technology, that the omnibus HIPAA/HITECH Act rule’s publication date is “very close.” Previously, at the 20th National HIPAA Summit on March 26, 2012, Rodriguez announced that, on March 24, the Office of Management and Budget accepted the omnibus HIPAA rule for its 90-day cost/benefit analysis review. The omnibus rule will finalize many of the HIPAA Privacy Rule and Security Rule changes set forth in the Notice of Proposed Rulemaking published in July 2010. It will also contain final rules addressing portions of the Genetic Information Nondiscrimination Act of 2008. Additionally, it will address comments received relating to the August 2009 interim final rule regarding breach notifications, as well as the interim final enforcement rule published in October 2009.
Breach Notifications Demonstrate “Considerable Vulnerabilities”
In his remarks at the HIPAA Summit, Rodriguez stated that the increase in HIPAA enforcement that the industry has experienced over the past two years “will continue and it will intensify.” He stated that HIPAA enforcement will start to look more like enforcement in the fraud and abuse arena, and “that is actually where we are going right now.” Rodriguez observed that the breach notifications that the Office for Civil Rights (OCR) receives demonstrate “considerable vulnerabilities” in privacy and security and “that means that the environment needs to change.” He indicated that the healthcare industry needs to address privacy and security with the same vigilance it applies to protecting against billing fraud.
Susan McAndrew, deputy director for Health Information Privacy for OCR, also spoke at the HIPAA Summit. “We look forward to a very exciting year and improving enforcement,” she stated. In addition, she indicated that OCR looks forward to having the omnibus rules released “very soon.” McAndrew observed that one of the areas addressed by the final rules will be the HITECH Act’s extension of liability to business associates and subcontractors for compliance with provisions of the HIPAA Security Rule, as well as their business associate agreements. She stated that business associate compliance “is going to be a key area where we are working on guidance.” McAndrew also indicated that OCR plans to publish an updated sample business associate agreement.
Now Is the Time to Address Compliance
As they wait for the publication of the final rules, HIPAA-covered entities and their business associates should begin now to address compliance. Presumably, most covered entities have existing compliance plans, but those will likely need to be updated. While healthcare entities and their contractors will likely have at least 180 days to come into compliance once the rules are published, the volume of work required to implement a comprehensive HIPAA compliance plan necessitates immediate action for business associates and others that have not yet begun the process. At a minimum, business associates should start to analyze the potential risks and vulnerabilities that may apply to the health information they possess. Business associates should also determine what HIPAA agreements, policies and procedures, and other documentation already exist, and what will need to be developed or updated to conform to the final rules. Additionally, it will be important for business associates, as well as covered entities, to make sure employees have been trained on HIPAA’s requirements, as well as the entity’s policies and procedures.
There are other HIPAA requirements on the horizon. For example, Denise Buenning, director of the Administrative Simplification Group of the Office of E-Health Standards and Services at the Centers for Medicare and Medicaid Services deals with standards adoption, as well as HIPAA transaction and code set enforcement. At the HIPAA Summit, Buenning discussed the fact that health plans will eventually have to certify to the government that they are compliant with all HIPAA transactions, code sets and operating rules. Significant penalties will apply for failure to certify. The Notice of Proposed Rulemaking is currently being drafted. There is a statutory penalty of $1.00 per covered life for each day a plan is out of compliance with the certification requirement. The fine is capped at $20 per covered life per year or $40 per covered life per year for deliberate misrepresentation. When asked whether employers that sponsor self-insured health plans will be subject to penalties for failure to certify, Buenning indicated that a decision on that point is still in process.
Now would be a very good time for employers with self-insured health plans to have discussions with their third-party administrators (TPAs) to determine whether the employer’s plan is in compliance and will remain in compliance as the various standards become effective. If there are opportunities to incorporate additional compliance requirements into TPA agreements, that could be useful as well.
The pending HIPAA and HITECH Act changes will have far-reaching effects for all segments of the healthcare industry. Healthcare providers, health plans and their business associates should revisit existing compliance plans and get ready to implement the rule changes as they are published.