OCR: HIPAA mega rule in its 'last clearance lap'

The omnibus final rule implementing many of the changes to the Health Insurance Portability and Accountability Act (HIPAA) was accepted for review by the Office of Management and Budget (OMB) March 24, finally moving to its final clearance hurdle, according to Susan McAndrew, Deputy Director for Health Information Privacy at U.S. Department of Health & Human Services' Office for Civil Rights (OCR).

"'Very soon' has a real tangible meaning now. We look forward to an exciting year," she said, speaking on Monday at the 20th national HIPAA Summit in Washington, DC.

The mega rule, which McAndrew has also called "one big mother of a final regulation" combines four separate rulemakings: the changes to HIPAA's privacy and security rules mandated by the HITECH Act; the new enforcement requirements and higher penalty requirements; the final regulations of HITECH's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (GINA). OCR also will release guidance to help entities implement the changes, including an updated business associate agreement.

OMB has up to 90 days to review the rule. McAndrew noted that OMB likely will use all of that time, since "ours is not the only rule over there." What she did not point out is that OMB also can ask for an extension.

McAndrew would not comment as to whether some of the more controversial provisions of the proposed rule--such as whether the harm threshold analysis to determine if a breach of unsecured patient information would adversely affect the patient--survived.

She did note, however, that OCR continues to work with the Office of the National Coordinator to increase consumer trust. She also noted that OCR helped the National Institute of Standards and Technology (NIST) develop an electronic tool to help entities comply with HIPAA's security rule.

To learn more:
- read about the HIPAA Summit
- here's information regarding the NIST guidance