The long-awaited final regulations arising from the Health Information Technology for Economic and Clinical Health Act (“HITECH”) appear finally to be near publication. On March 24, 2012, the Office of Management and Budget (“OMB”) accepted for review the final HITECH regulations from the Department of Health and Human Services (“HHS”). The OMB will review the regulations to assess their economic and other impacts, a process that likely will take most of the 90-day period allotted to complete the review. Based on that timetable, it is anticipated that HHS will publish the regulations in mid to late June.
HHS is referring to the final HITECH regulations as an “omnibus” regulation because it will finalize four separate rulemakings:
- The 2010 HITECH proposed rule, which includes provisions regarding the direct application of HIPAA to business associates, uses and disclosures for marketing and fundraising, prohibition on the sale of protected health information, the right to obtain information in electronic format and the right to request restrictions on disclosures to health plans for services paid out-of-pocket in full;
- The 2009 interim final rule regarding breach notification;
- The 2009 interim final rule regarding enforcement, which increased penalties and addressed other enforcement provisions of HITECH; and
- The 2009 proposed rule under the Genetic Information Nondiscrimination Act (“GINA”), which prohibits health plans from using genetic information for underwriting purposes.
The final HITECH regulations will not, however, address the 2011 proposed rule regarding accounting for disclosures. That rule proposed to clarify the accounting for disclosures requirement under HIPAA and also to create a new right to an access report of all uses and disclosures of protected health information in an electronic health record, including uses and disclosures for treatment, payment and health care operations. HHS intends to issue that final rule separately at a later date.
The final HITECH rule will require that covered entities amend or replace business associate agreements and notices of privacy practices, revise policies and procedures and retrain workforce members. Covered entities should take the following steps to position their organizations to implement the changes resulting from the regulations:
- Compile and have ready access to your organization’s HIPAA policies and procedures. These will need to be reviewed and revised once the new regulations are issued.
- Identify all business associates and other third parties who create, maintain or access protected health information on behalf of your organization and collect all written agreements with those parties. These agreements will need to be revised once the new regulations are issued. Identify whether any agreements are missing.
- Consider performing a risk analysis under the HIPAA Security Rule if you haven’t done so recently. The risk analysis is a key component of compliance that helps identify any security vulnerabilities that may exist. Organizations should begin addressing the highest risk deficiencies as soon as possible.
- Determine the processes, systems and devices used by your organization that involve the flow of protected health information and identify who in your organization has access to such information. Workforce access to protected health information should occur only to the extent required to perform essential job functions. Effective controls regarding portable electronic devices will be a key element to address also.
- Map the processes and procedures for responding to requests by individuals regarding how their information is used and disclosed. Organizations must be able to comply with the individual rights provisions of HIPAA, as revised by the final HITECH regulations.
- Make preliminary plans to conduct workforce training on the new requirements shortly after the regulations are issued. Covered entities will be expected to educate their workforce members as soon as reasonably practicable.
Business associates and their subcontractors that have existing HIPAA compliance programs would also be well-advised to take these steps to prepare for the new regulations. Business associates and/or subcontractors that do not already have HIPAA compliance programs should start the process of creating one. Business associate compliance is expected to be a main focus area in the new regulations.
Once the final HITECH regulations are issued, we will publish a series of alerts summarizing the various components of the regulation as part of our HIPAA Impact Series. Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.
If you need additional information about HIPAA/HITECH, please contact Mark J. Swearingen at 317.977.1458 or mswearingen@wp.hallrender.com, Elizabeth Callahan-Morris at 248.457.7854 or ecallahan@wp.hallrender.com, Monica C. Hocum at 414.721.0454 or mhocum@wp.hallrender.com or your regular Hall Render attorney.
