NAIDonline.org – March 28, 2012

Last December, the U.S. Department of Health and Human Services (HHS) publicly committed to releasing the long awaited Health Information Technology for Economic and Clinical Health (HITECH) final rule this month. Despite that commitment, there are now confirmed reports that the HIPAA/HITECH rule will not be published until the summer.

On March 24 the U.S. Office of Management and Budget (OMB) received the rule from HHS. OMB has up to 90 days in which to review the rule (although it often receives an extension on that deadline). This rule will include four parts: the primary changes to the HIPAA Privacy and Security rules, stemming from the July 2010 proposed rule; the final breach notification rule; changes to the enforcement rule dealing with process and penalty levels; and certain changes from the Genetic Information Nondisclosure Act. This “mega rule” will not address the controversial proposed changes to the HIPAA accounting rule, which are on a different timetable.

Accordingly, while this process is moving through its final stages, the rule likely will not be released until mid-summer at the earliest, presuming the OMB does not push for additional changes. It is expected that companies will have seven months from the publication of the rule to be compliant with its provisions. The substance of the rule will not change, so companies can begin preparing for this requirement now.

“The final rule is a 10 on the data protection Richter scale,” said NAID CEO Bob Johnson. “It will mark the date that fines for improper disposal of medical information become mandatory in most circumstances. It will also mark the moment that small medical practices are forced to take secure destruction of information more seriously as publicity on the issue goes through the roof.”