Then, 10 months passed, and “it's still with OMB as far as I can tell,” said lawyer and privacy expert Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, a Washington, D.C., think tank, and a member of the federally chartered Health Information Technology Policy Committee and co-chair of its privacy and security subcommittee, called a “tiger team.”
McGraw attributed the long delay in what is likely to be a controversial rule to “election politics,” but she, too, has heard rumblings recently that the final rule will be coming out soon.
“Here's another indication that that may in fact be true,” McGraw said. “In February, there is a HIPAA summit mid-month.” The event schedule calls for regulators to give a talk on the final rule, she said.
The new rule is expected to create more stringent regulations governing the responsibilities and liabilities of “business associates” of HIPAA covered entities.
According to publicly reported healthcare information breach data kept by the Office for Civil Rights, 104 of the 525 larger breaches reported to the agency since September 2009—breaches that exposed the personally identifiable patient records of 500 or more individuals—involved business associates.
Not yet on that list was the recent reported theft of a laptop computer from an employee of Omnicell, a Mountain View, Calif.,-based developer of hospital prescription drug cabinets and a provider of related data servers. On the unencrypted laptop were about 68,000 patient records from hospital systems in Michigan, New Jersey and Virginia.
McGraw said she expects the civil rights office also will to take a second shot at a “harm standard” to determine when public notification of breaches is warranted.
The agency's first attempt at fleshing out a harm standard was smacked down in 2010 by members of the House of Representatives then controlled by Democrats, who essentially accused HHS rule writers of overstepping Congressional authority.
McGraw said the Office for Civil Rights won't shy away from a second attempt at setting a harm standard.
“I think we really gave them some good suggestions,” McGraw said. “Keep in mind, there have been some political shifts since then.”
She also expects the office will address records disclosures for marketing.
“I think the marketing rule is a difficult one,” McGraw said. “There are some significant interests in keeping something like an overall opt out,” that is, where a patient would have to take action to prevent his or her healthcare information from being used for marketing purposes.
The ARRA also says a covered entity or a business associate “shall not directly or indirectly receive remuneration in exchange for any protected health information” without patient consent, subject to a fairly long list of exceptions, including for research, public health and others.
Another tricky requirement in the ARRA is one that attempts to expand patient consent. In 2002, HHS amended the HIPAA privacy rule from one in which consent was required for most data sharing, to one authorizing covered entities to exchange a patient's medical records without their consent for treatment, payment and a broad group of “other” healthcare operations.
The 2009 law says consent is required for the disclosure of patient information to a health plan for payment or health care operations (but not for treatment) if the information to be disclosed “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.”
In its July 2010 proposed rule, HHS said that “Due to the myriad of treatment interactions between covered entities and individuals, we recognize that this provision may be more difficult to implement in some circumstances than in others.”
How all that will play out in black-and-white rule writing is hard to tell, McGraw said.
“They said, help us figure this out,” she said, “So, the final rule will be a mystery.”