Update from Office for Civil Rights (OCR) on issuance of the Notice of Proposed Rulemaking (NPRM) implementing changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH). Health care organizations and health lawyers have been anxiously awaiting rules implementing and interpreting the changes because the effective date for many of the HITECH requirements was February 17, 2010. Of particular interest has been whether or not health care organizations are required to amend business associate agreement.
The notice seems to indicate that the the date for compliance and enforcement may be delayed since it states that the NPRM “will provide specific information regarding the expected date of compliance and enforcement.” However, covered entities and business associates need to weigh the risks of not complying with the new requirements while waiting for further clarification from OCR.
The notice states:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.
However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.