HIPAA-HITECH Final Rule To Be Published in March

Thursday, January 06, 2011

Rebecca Herold

65be44ae7088566069cc3bef454174a7

On December 20, 2010, the U.S. federal government published “Part II: Regulatory Information Service Center: Introduction to The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions.” 

If you are a healthcare Covered Entity (CE), Business Associate (BA) or BA subcontractor, as defined under HIPAA and HITECH, this should be of interest to you. 

Why?  Because within it is the long-awaited Department of Health and Human Services (HHS) timeline for when they would publish the final rule of the Notice of Proposed Rule Making (NPRM) that came out in July, 2010

The date?  Well, it’s not a day, but a month; at least it’s better than vaguely saying sometime in 2011.

According to this official document, the HHS will issue the final rule in March of 2011.  CEs, BAs, and subcontractors, be prepared!

The specific excerpt about the release of the HIPAA/HITECH Final Rule from this long (261 pages) “Part II…” document is from numbered page 79521 (document page 74) as follows:

41. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT
Priority: Economically Significant. Major under 5 USC 801.

Legal Authority: PL 111–5, secs 13400 to 13410

CFR Citation: 45 CFR 160; 45 CFR 164

Legal Deadline: NPRM, Statutory, February 17, 2010.

Abstract:

The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (title
XIII of the American Recovery and Reinvestment Act of 2009).

Statement of Need:

The Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy and security provisions in sections 13400 to 13410 of the Health Information Technology for Economic and Clinical Health Act (title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5). These regulations will improve the privacy and security protection of health information.

Summary of Legal Basis:

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (title XIII of the American Recovery and Reinvestment Act of 2009) requires the Office for Civil Rights to modify certain provisions of the HIPAA Privacy and Security Rules to implement sections 13400 to 13410 of the Act.

Alternatives:

The Office for Civil Rights is statutorily mandated to make modifications to the HIPAA Privacy and Security Rules to implement the privacy provisions at sections 13400 to 13410 of the Health Information Technology for Economic and Clinical Health Act (title XIII of the American Recovery and Reinvestment Act of 2009).

Anticipated Cost and Benefits:

These modifications to the HIPAA Privacy, Security, and Enforcement Rules will benefit health care consumers by strengthening the privacy and security protections afforded their health information by HIPAA covered entities and their business associated. The Agency believe the primary cost associated with this regulation will be for covered entities to revise and redistribute their notices of privacy practices to ensure health care consumers are informed of their new rights and protections. The Agency estimates the cost of revising and redistributing these notices to total approximates $166.1 million over the first year following the effective date of the regulation. Of this total, the cost heal care providers is estimated to be approximately $46 million and to health plans to be approximately $120.1 million. The Agency does not believe that the additional modification to Privacy, Security, or Enforcement Rules required by this regulation will significantly increase covered entity or business associates and in some cases will reduce burden. Further, it is expected that the costs of modifying business associate contracts will be mitigated both by the additional one year transition period which will allow the costs of modifying contracts to be incorporated into the normal renegotiation of contracts as the contracts expire, as well as sample business associate contract language to be provided by the Agency.

Timetable: Action Date FR Cite Final Action 03/00/11 Regulatory Flexibility Analysis

Required: Yes

Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations

Government Levels Affected: Federal, Local, State, Tribal

Agency Contact: Andra Wicks, Department of Health and Human Services 200

Independence Avenue SW. Washington, DC 20201 Phone: 202 205–2292

Email: andra.wicks@hhs.gov

RIN: 0991–AB57

Cross-posted from Privacy Professor

Possibly Related Articles:
18833
HIPAA
HIPAA Compliance Regulation HITECH Healthcare HHS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.