March 24, 2012. Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN: 0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely.
The Abstract of the Rules reads: “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act [GINA] of 2008.”
For the provisions of the HITECH Act underpinning the modifications, see Subtitle D (123 STAT. 258-279) and for the provisions underpinning GINA, see 42 USC 1320d-9.
As we have reported in previous postings, OCR privacy and security audits are underway, and privacy and security breaches impacting 500 or more individuals, required to be publicly disclosed on OCR’s Web site, continue to grow. As of today, 409 breaches have impacted 19,168,745 individuals from September 22, 2009 through February 11, 2012. About 18.5 percent of all of those breaches involve business associates, who will be required to implement the HIPAA Security Rule just as covered entities are required under HIPAA today. About 60 percent of all of those breaches involve electronic devices or media. Over 91 percent of theft and losses of electronic devices or media involve laptops or other portable electronic devices. Presumably, with compliance audits and significantly increased financial penalties for non-compliance, release now of the modified Final Rules will heighten attention by covered entities to achieve privacy and security compliance and to avoid a privacy or security breach by encrypting protected health information (PHI) on laptops and other portable electronic devices (e.g., smart phones and tablets).
HIPAA.com will have a series of postings on these Final Rules beginning when they are published in the Federal Register.