Upcoming OCR Rules to Provide HITECH Guidance

The American Recovery and Reinvestment Act’s (ARRA) new requirements for business associates and electronic access will be the subject of rules HHS’ Office for Civil Rights (OCR) plans to issue this fall, according to Susan McAndrew, OCR deputy director for health information privacy. The agency also “will be going back into the marketing definition” to require an authorization for certain uses of protected health information (PHI) that did not need one in the past, she added.

ARRA’s Health Information Technology for Economic and Clinical Health (HITECH) Act also calls for OCR guidance on what constitutes the minimum necessary PHI. “They wanted the limited data set looked at as a default,” but the act’s immediate effect on minimum necessary is unclear, McAndrew said. “We seemed to have gone around the bush and come back to where we were.”

OCR may revise its recent rules on breach notification, depending on the comments it receives on the Aug. 24 “interim final” regulations, McAndrew noted. Comments are due Oct. 23, and “there will be a final rulemaking process that follows this,” she said.

The HITECH Act’s strict new HIPAA enforcement provisions, in addition to substantially raising the civil penalties, require certain specific actions on OCR’s part, McAndrew continued. “The HITECH Act has asked us to focus on willful neglect cases” and perform periodic audits.

“We are weighing our options on what kind of audit programs are out there,” including self-reporting and partnering with HHS’ Office of Inspector General, McAndrew said. However, random onsite visits of the type performed by workplace safety inspectors are “probably not the best way to go about this” given OCR’s limited resources, she noted.

Enforcement will be aided by HHS’ recent transfer of HIPAA security authority to OCR from the Centers for Medicare and Medicaid Services, McAndrew said. “We are very happy to now have the privacy and security rule together in a unified enforcement process,” she said. “This just streamlines the decisionmaking process and allows those investigations to go forward more expeditiously.”

OCR is consulting with the U.S. Government Accountability Office on another HITECH requirement to develop a system within three years to distribute a percentage of civil monetary penalties to harmed individuals, McAndrew continued. Over the next few months, HHS also will launch a national education mission to consumers about electronic health records and participation in health information exchange (HIE), she added.

“We are going to be doing studies on de-identification, as well as guidance on security and technical safeguards,” McAndrew said. She spoke Sept. 16 at the 17th National HIPAA Summit in Washington, D.C.