Well here we are, nearing the end of a busy year in health IT. And while there have been many major developments in the industry over the last 12 months, one bit of unfinished business still hangs unresolved: the final HIPAA omnibus rule, proposed more than two years ago.
This is the set of regulations that was originally set to be published early last summer, which will update 1990s-era HIPAA enforcement for the digital medical records era. But delay after delay has left the industry heading toward 2013 with no clear rules in place. And no resolution is imminent. At yesterday’s Health Privacy and Security Forum in Boston Office of Civil Rights director Leon Rodriguez said the final rule is still under review and he can’t say when it will be published. In other words, don’t hold your breath.
A lot is riding on the regulations included in the HIPAA omnibus rule. It will amend provisions of the HIPAA privacy and security rules as required by the HITECH Act, update data breach notification requirements and add provisions of the Genetic Information Non-Discrimination Act to the HIPAA regulation set. The manner in which these rules are implemented could have far-reaching implications for how hospitals make IT decisions, as it will detail security requirements for business associates and their sub-contractors.
Organizations whose 2013 IT planning depends upon the shape of the new rules do have some guidance to follow. OCR has posted its proposed audit protocols, and it plans to move its audit program out of pilot and into practice next year. The protocols outline security features and processes providers must have in place in order to be in compliance with all HIPAA regulations. Some providers who have been audited in the pilot program shared what OCR’s teams were looking for at their facilities.
But until the omnibus rule is finalized this is no sure bet. Some commentators have speculated that the rule has been delayed so long because certain provisions are being changed, which may make OCR’s published guidance obsolete by the time the actual rules are published.
Given all that is riding on the omnibus rule, I’m sure compliance officers at covered entities and vendors who must sign business associate agreements are hoping they will find the finalized regulation in their Christmas stockings before the end of the year. This may be the first time anyone has ever put a mammoth piece of federal regulation on their holiday wish list.