On Saturday 3/24, the Office of Information and Regulatory Affairs (OIRA) at the Office of Management and Budget (OMB) received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called “Omnibus Final Rulemaking”.  According to the OIRA web site, it was received on Saturday, March 24.

Rulemaking is among the most important and controversial functions performed by agencies, like HHS, in the Executive Branch. One of the most persistent and serious problems in rulemaking is delay in the issuance of rules due to legal requirements, bureaucratic elements, and political influences.   For Covered Entities, Business Associates and their agents and subcontractors, this one has been a long time coming.  The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July, 2010.

The Abstract Reads: The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.

We expect the Rules to be finalized in April (2012!).

We first learned about the “Omnibus Final Rulemaking” while attending the NIST/OCR HIPAA Security Conference last May, 2011.  was forthcoming that would include Final Rules for all four of these HIPAA-HITECH related rules and that it would be completed before the end of 2011.  The four rules to be included were:

  • Genetic Information Non-discrimination Act NPRM (10/01/09)
  • Breach Notifications IFR (08/24/09)
  • Enforcement and Compliance IFR (10/30/09)
  • HITECH Privacy/Security/Enforcement NPRM (7/14/10)

The HITECH Content would address areas such as Business associates, Enforcement, Electronic access, Marketing, Fundraising, No sale of PHI and the Right to request restrictions.  Other Content would cover Research authorizations and Student immunization records.

Among the biggest changes will be those related to Business Associates, Subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BAs accountable to consumers and to HHS for protecting the privacy and security of protected health information and directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules.  As it specifically relates to these other parties, the NPRM proposes:

  • Requiring that BAs comply with the technical, administrative, and physical safeguard requirements under the Security Rule.
  • Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule.
  • Including Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities as BAs.
  • Clarifying that BAs are liable whether or not they have an agreement in place with the CE.
  • Defining subcontractors as BAs; clarifying that BA liability flows to all subcontractors.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.