By Judd A. Harwood
Bradley Arant Boult Cummings, LLP
Another month has gone by
without the publication of the final Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Health Information Technology for
Economic and Clinical Health (HITECH Act) regulations (referred to as the HIPAA
Omnibus Final Rule). The HIPAA Omnibus Final Rule is expected to include
modifications to HIPAA privacy and security rules required under the HITECH
Act; data breach enforcement and penalty requirements; regulations related to
the HITECH Act’s breach notification rule; and changes to HIPAA to incorporate
the Genetic Information Nondiscrimination Act (GINA). The HIPAA Omnibus Final
Rule is also expected to extend HIPAA liability and obligations directly to business
associates and their subcontractors.
By way of background, on March 24, 2012 the Office of Civil
Rights (OCR) sent a final HIPAA Omnibus Final Rule to the Office of Management
and Budget (OMB) for review before publication in the Federal Register. Despite
indications from the Director of the OCR late this summer that the Omnibus
Final Rule was extremely close to publication, the OMB elected to extend its
review of the rule under Executive Order 12866. Under Executive Order 12866,
OMB is given ninety (90) days to review most proposed and final rules. However,
the Executive Order permits OMB to extend the review period for an additional thirty
(30) calendar days on its own, and, with the agreement of the agency head, for
longer periods of time.
It has now been over three and a
half years since the HITECH Act was passed and almost two and a half years
since the proposed HITECH Act regulations were published in July of 2010. As
autumn gives way to winter and proceed past the election season, there’s
no sign of the HIPAA Omnibus Final Rule yet. Healthcare attorneys and
compliance specialists have been left to speculate about what the hold-up is
and to eagerly wait for the issuance of the final rule.
No comments:
Post a Comment