Blog: Privacy rule said to be expected soon—really
Privacy, security rule update coming soon—honest.
The Office for Civil Rights at HHS is about to release its omnibus final rule on health information technology privacy and security—this time for sure.
“Stay tuned,” said Leon Rodriguez, director of the Office for Civil Rights, in a recent telephone interview. His office is the chief federal enforcement agency of privacy and security rules under the Health Insurance Portability and Accountability Act, and the lead rule writer for HHS of the HIPAA privacy and security rule amendments required under the American Recovery and Reinvestment Act of 2009.
“Stay really tuned,” Rodriguez said. “I would really watch closely in the coming weeks.”
But haven't we seen this movie?
Back in March 2012, the civil rights office shipped off its ARRA-mandated privacy and security rule update to the White House for what was then believed to have been only a perfunctory once-over by its Office of Management and Budget before its imminent release.
Then, 10 months passed, and “it's still with OMB as far as I can tell,” said lawyer and privacy expert Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, a Washington, D.C., think tank, and a member of the federally chartered Health Information Technology Policy Committee and co-chair of its privacy and security subcommittee, called a “tiger team.”
McGraw attributed the long delay in what is likely to be a controversial rule to “election politics,” but she, too, has heard rumblings recently that the final rule will be coming out soon.
“Here's another indication that that may in fact be true,” McGraw said. “In February, there is a HIPAA summit mid-month.” The event schedule calls for regulators to give a talk on the final rule, she said.
The new rule is expected to create more stringent regulations governing the responsibilities and liabilities of “business associates” of HIPAA covered entities.
According to publicly reported healthcare information breach data kept by the Office for Civil Rights, 104 of the 525 larger breaches reported to the agency since September 2009—breaches that exposed the personally identifiable patient records of 500 or more individuals—involved business associates.
Not yet on that list was the recent reported theft of a laptop computer from an employee of Omnicell, a Mountain View, Calif.,-based developer of hospital prescription drug cabinets and a provider of related data servers. On the unencrypted laptop were about 68,000 patient records from hospital systems in Michigan, New Jersey and Virginia.
McGraw said she expects the civil rights office also will to take a second shot at a “harm standard” to determine when public notification of breaches is warranted.
The agency's first attempt at fleshing out a harm standard was smacked down in 2010 by members of the House of Representatives then controlled by Democrats, who essentially accused HHS rule writers of overstepping Congressional authority.
McGraw said the Office for Civil Rights won't shy away from a second attempt at setting a harm standard.
“I think we really gave them some good suggestions,” McGraw said. “Keep in mind, there have been some political shifts since then.”
She also expects the office will address records disclosures for marketing.
“I think the marketing rule is a difficult one,” McGraw said. “There are some significant interests in keeping something like an overall opt out,” that is, where a patient would have to take action to prevent his or her healthcare information from being used for marketing purposes.
The ARRA also says a covered entity or a business associate “shall not directly or indirectly receive remuneration in exchange for any protected health information” without patient consent, subject to a fairly long list of exceptions, including for research, public health and others.
Another tricky requirement in the ARRA is one that attempts to expand patient consent. In 2002, HHS amended the HIPAA privacy rule from one in which consent was required for most data sharing, to one authorizing covered entities to exchange a patient's medical records without their consent for treatment, payment and a broad group of “other” healthcare operations.
The 2009 law says consent is required for the disclosure of patient information to a health plan for payment or health care operations (but not for treatment) if the information to be disclosed “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.”
In its July 2010 proposed rule, HHS said that “Due to the myriad of treatment interactions between covered entities and individuals, we recognize that this provision may be more difficult to implement in some circumstances than in others.”
How all that will play out in black-and-white rule writing is hard to tell, McGraw said.
“They said, help us figure this out,” she said, “So, the final rule will be a mystery.”