Mar

05

Proposed HITECH rule for business associates will come soon, says OCR lawyer

By Dom Nicastro

An OCR lawyer tells HIPAA Update the HIPAA privacy and security enforcer will release a proposed rule regarding business associate (BA) provisions in HITECH “shortly.”

Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to Update that OCR’s rulemaking will elaborate on the expected date of compliance surrounding the rule.

Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.

However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.

In response to Greene’s statements at the American Bar Associations’s (ABA’s) 11th Annual Conference on Emerging Issues in Healthcare Law, OCR tells HIPAA Update that covered entities and BAs must be in compliance with rules already published—including the interim final rule on breach notification. (OCR also published an interim final rule on enforcement, which includes greater civil and monetary penalties).

Mike Robinson of HHS News, which handles media inquiries for OCR, wrote in an e-mail that “OCR will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010.”

He cited page 42756 of the Federal Register notice of the breach notification interim final rule.

No enforcement does not mean a break from compliance, however.

“I think it is important to remember that OCR may not be ready to enforce certain parts of the HITECH Act that were statutorily effective February 17, but this does not mean that lack of compliance is necessarily wise,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.

Apgar says BAs have been required to adhere to the same HIPAA regulations since 2003 (privacy) and 2005 (security) by contract. Also, while OCR may not levy a civil penalty, this does not prevent lawsuits alleging damages.

“Even though HIPAA includes no private right of action, HITECH did not specifically prohibit it for the HITECH provisions,” Apgar says. “And if someone is harmed because the entity did not adequately protect the individual’s PHI and they can prove harm, the entity still may find themselves paying out large sums of money in damages.”

The bottom line? Be compliant now.

“Lack of enforcement does not change the fact that, statutorily, entities are required to adhere to a number of new privacy and security requirements included in the HITECH Act, Subpart D, effective February 17, 2010,” Apgar says.

Though no enforcement plans have been announced regarding HITECH provisions, Robinson says OCR is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.

OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.

“We strongly believe that enforcement efforts directed at obtaining changes in a covered entity’s operations, practices, and policies will benefit all individuals—past, present, and future—that entrust the covered entity with sensitive health information,” Robinson says. “Voluntary compliance and informal resolution are an efficient mechanism to resolve noncompliance and save resources for both OCR and a covered entity.”

Joanne Finnegan contributed to this report.