By Judd A. Harwood
Bradley Arant Boult Cummings, LLP
Another month has gone by without the publication of the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH Act) regulations (referred to as the HIPAA Omnibus Final Rule). The HIPAA Omnibus Final Rule is expected to include modifications to HIPAA privacy and security rules required under the HITECH Act; data breach enforcement and penalty requirements; regulations related to the HITECH Act’s breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (GINA). The HIPAA Omnibus Final Rule is also expected to extend HIPAA liability and obligations directly to business associates and their subcontractors.
By way of background, on March 24, 2012 the Office of Civil Rights (OCR) sent a final HIPAA Omnibus Final Rule to the Office of Management and Budget (OMB) for review before publication in the Federal Register. Despite indications from the Director of the OCR late this summer that the Omnibus Final Rule was extremely close to publication, the OMB elected to extend its review of the rule under Executive Order 12866. Under Executive Order 12866, OMB is given ninety (90) days to review most proposed and final rules. However, the Executive Order permits OMB to extend the review period for an additional thirty (30) calendar days on its own, and, with the agreement of the agency head, for longer periods of time.
It has now been over three and a half years since the HITECH Act was passed and almost two and a half years since the proposed HITECH Act regulations were published in July of 2010. As autumn gives way to winter and proceed past the election season, there’s no sign of the HIPAA Omnibus Final Rule yet. Healthcare attorneys and compliance specialists have been left to speculate about what the hold-up is and to eagerly wait for the issuance of the final rule.