An omnibus rule to align HIPAA privacy regulations with more-stringent privacy protections contained in the American Recovery and Reinvestment Act of 2009 could be released soon.

The Office for Civil Rights at HHS, the chief federal healthcare privacy- and security-law enforcer and rule writer, has submitted "Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules" as a final rule the to the White House Office of Management and Budget, according to a posting on the OMB's website.

Typically, OMB review is the last step in the federal rulemaking process before official publication of the rule.

The HIPAA omnibus rule will contain, essentially, regulations covering most of what is in the stimulus law, except the rule regarding the accounting of health information disclosures, which is on a separate rule-making track, according to Deven McGraw, a lawyer and the head of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank.

"The litany is long," McGraw said. "It's easier to think of what's not going to be in there."

The omnibus rule is expected to create regulations governing the use of patient information for marketing and contain a stimulus-law requirement prohibiting the sale of patient data without patient authorization. It also is expected to deal with a so-called "harm standard"—the subject of an earlier rulemaking misstep—for breach notification.

But for provider organizations, the most problematic new provision, in McGraw's view, will be the one addressing provider relationships with outside health information technology service providers, referred to as "business associates." The stimulus law expands business associates' direct liability under the HIPAA security rule and selectively expands their liability under the privacy rule, according to McGraw. A business associate agreement has "always been important," she said, "Now, they’re even more important, because now there is a mechanism to enforce it."