The HIPAA omnibus rule will contain, essentially, regulations covering most of what is in the stimulus law, except the rule regarding the accounting of health information disclosures, which is on a separate rule-making track, according to Deven McGraw, a lawyer and the head of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank.
"The litany is long," McGraw said. "It's easier to think of what's not going to be in there."
The omnibus rule is expected to create regulations governing the use of patient information for marketing and contain a stimulus-law requirement prohibiting the sale of patient data without patient authorization. It also is expected to deal with a so-called "harm standard"—the subject of an earlier rulemaking misstep—for breach notification.
But for provider organizations, the most problematic new provision, in McGraw's view, will be the one addressing provider relationships with outside health information technology service providers, referred to as "business associates." The stimulus law expands business associates' direct liability under the HIPAA security rule and selectively expands their liability under the privacy rule, according to McGraw. A business associate agreement has "always been important," she said, "Now, they’re even more important, because now there is a mechanism to enforce it."