HIPAA Omnibus Package: A Waiting GameCIOs, CISOs Ponder Compliance Moves
Now that the presidential election is finally over, healthcare reform and the HITECH electronic health records incentive program look like they're here to stay. But there's still a big uncertainty lingering: A long-overdue omnibus package of regulations that includes extensive HIPAA modifications.
Executives at healthcare organizations say the delay is creating a cloud of uncertainty that's making it difficult to set privacy and security priorities.
"We have not allocated resources to omnibus yet," says Ed Ricks, CIO at Beaufort (S.C.) Memorial Hospital. "The biggest thing is that we want to have the right resources ready to comply and do the right thing." But preparing for rules not yet released is a challenge in light of all the other compliance-related work already under way, he notes. That ranges from participation in the HITECH Act electronic health record incentive program to preparing for the upcoming shift to ICD-10 claims codes.
The omnibus package, which has been repeatedly delayed, will include a variety of components. For example, it will spell out extensive modifications to the HIPAA privacy, security and enforcement rules, as called for under the HITECH Act. A proposed version of the HIPAA modifications, which includes clarifying that business associates and their subcontractors must comply with HIPAA, was issued way back in 2010.
The package also will include a final version of the HIPAA breach notification rule. An interim final version of the rule has been in effect since September 2009. And healthcare organizations are anxiously awaiting the final version, which federal officials say will include clarification of when a breach must be reported (see: HIPAA Modifications: What to Expect).
Another rule in the package will spell out that using genetic information for insurance underwriting purposes is a privacy violation, as well as discriminatory, under the Genetic Information Non-Discrimination Act.
The Office for Civil Rights, a unit of the Department of Health and Human Services that enforces HIPAA, is mum on when the long overdue rules might be issued. "We have no updates to share at this time and cannot anticipate timing of publication," says an OCR spokeswoman.
The package of regulations remains under review at the Office of Management and Budget, which scrutinizes regulations before they're finalized. OMB received the latest version of the regulations for review in March. And in June, the agency said it was extending the review period. Nothing more about the status or timing of a final rule has surfaced since then.
Some observers expect that publication will happen soon now that the election is over. "I am cautiously optimistic for publication in December," says Adam Greene, a former OCR official who now is a partner at the law firm Davis Wright Tremaine.
Dixie Baker, a member of several panels that advise the Office of the National Coordinator for Health IT, speculates that the delay might be due to "verbiage related to healthcare reform." OMB may have been holding the regulations because some wording might have needed to change if Mitt Romney won the election and the future of healthcare reform was in doubt, says Baker, who is senior partner at the consulting firm Martin, Blanck and Associates.
Waiting it Out
Greene says prompt publication of the overdue rules will enable hospitals, physician groups and others to firm up their plans for 2013 and beyond.
"With all the priorities facing healthcare organizations in 2013, and limited resources to spend on areas like privacy and security, there is a real danger that time and energy focused on responding to changes from the omnibus package [means there will be] less time and effort [that can be devoted to] addressing critical privacy and security issues such as mobile device security, thorough enterprisewide risk assessment and encryption efforts," he says.
Shelia Searson, chief privacy officer at UAB Medical Center in Birmingham, Ala., is anxious to see the new rules so that her organization can move forward with implementing required changes, such as updating its privacy notice provided to patients.
Searson believes the final modifications to HIPAA will likely require that the notice make reference to UAB's involvement in health information exchanges, describe fundraising activities and spell out that patients have a right to ask for restrictions in disclosing information.
Beaufort Memorial's Ricks says publication of all the new rules will help the hospital get a better handle on resources needed to comply. "It's an untenable strategy because we also know that [Medicare] reimbursements will decline," he says.
And Greene points out that the HIPAA modifications will reinforce the need to work with business associates to make sure they're HIPAA-compliance.
"The opportunity to revisit business associate agreements will provide health care organizations an opportunity to revisit and improve their management of vendor privacy and security, which has proven to be a real weak link for many organizations," he says.