On March 15, 2010, the federal agency responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules made an important announcement about its plans for enforcement of some of the new privacy and security requirements added by the Health Information Technology for Economic and Clinical Health (HITECH) Act.1 That agency, the Office for Civil Rights (OCR) within the Department of Health and Human Services, posted a notice on its Web site that appears to indicate that enforcement and compliance regarding certain provisions of HITECH will occur when OCR completes its rulemaking process for those requirements.2

Certain HITECH Rules Not Subject to the Delay

OCR is now enforcing the two changes that took effect in 2009: the increase in civil monetary penalties for privacy and security violations by HIPAA covered entities, and the new breach notification requirement applicable to HIPAA covered entities and their business associates.3

HITECH Rules with Delayed OCR Enforcement

The OCR-announced delay applies to several other provisions: those with an effective date of February 17, 2010 under the terms of the HITECH Act, but for which the rulemaking process is not yet complete (hereafter “the February 2010 provisions”):

Increased responsibilities and liability for business associates,

Changes to the right to request a restriction,

A stronger right to access protected health information (PHI) maintained in electronic health records, and

Changes affecting the use or disclosure of PHI for marketing and fundraising purposes.4

The announcement notes that OCR is working on a proposed rule and that both it and the final rule will provide specific information regarding the expected compliance and enforcement dates for these provisions. OCR states:

Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM [Notice of Proposed Rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

Implications for Plan Sponsors

The announcement appears to be recognition by OCR of the difficulty in complying with provisions of the HITECH Act in the absence of regulations clarifying the obligations of both group health plans and their business associates. OCR indicates that its rule will provide information as to when compliance is expected and when enforcement will begin. Plan sponsors looking for guidance as to how to implement some of the HITECH provisions will not be able to determine with certainty what to do until these rules are published.

While OCR enforces the rules from a civil, federal perspective, there are other entities that could take action in the event of a violation, including state attorneys general and the U.S. Department of Justice for criminal violations. Consequently, plan sponsors should consult with legal counsel to determine their compliance plans for the new HITECH rules.

As with all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for authoritative advice on the interpretation and application of the HITECH requirements. Sibson Consulting can be retained to work with plan sponsors and their attorneys on HIPAA compliance.

1

For information about HITECH, see Sibson Consulting’s March 2009 Bulletin, “Stimulus Law Includes Major Changes to HIPAA Privacy and Security Rules.” (Click on the following text to return to the Capital Checkup.)

2

That announcement is posted on the OCR Web site. (Click on the following text to return to the Capital Checkup.)

3

For information about the breach notification requirement, see Sibson’s September 2009 Bulletin, “Final Regulations on HITECH Security Breach Notification for HIPAA Protected Health Information.” (Click on the following text to return to the Capital Checkup.)

4

The OCR announcement listed one other change – new prohibitions on the sale of PHI – but that prohibition is not slated to go into effect until six months after OCR issues rules due by August 2010. (Click on the following text to return to the Capital Checkup.)

Capital Checkup is Sibson Consulting’s periodic electronic newsletter summarizing activity in Washington with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.

Tags:

This entry was posted by Adam V. Russo on Tuesday, March 30th, 2010 at 8:01 am and is filed under Health Care Legislation, HIPAA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.