On July 1, 2010, the Office of Management and Budget (OMB) completed review of the Notice of Proposed Rulemaking (NPRM) entitled: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act](RIN: 0991-AB57). The NPRM was received at OMB for review on April 12, 2010. It likely will be published in the Federal Register imminently.
Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:
13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions
13402: Notification in the Case of Breach
13403: Education on Health Information Privacy
13404: Application of Privacy Provisions and Penalties to Business Associates of Covered Entities
13405: Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format
13406: Conditions on Certain Contacts as Part of Health Care Operations
13407: Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities
13408: Business Associate Contracts Required for Certain Entities
13409: Clarification of Application of Wrongful Disclosures Criminal Penalties
13410: Improved Enforcement
These sections appear in Subtitle D (Privacy) on pp. 258-276 of Public Law 111-5, which is available for download on hipaa.com. The NPRM represents enabling rules for referenced statutory provisions from within some or all of those sections.
The Abstract of the NPRM is:
“The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”
In addition to the NPRM discussed above, OMB still has under review the Final Rule entitled: HIPAA Administrative Simplification; Notification in the Case of Breach (RIN: 0991-AB56), which would replace the Interim Final Rule that was published in the Federal Register on August 24, 2009 (74 Federal Register 42739-42770).
The Abstract of the Final Rule is:
“The Department will issue final rules for HIPAA covered entities and business associates with respect to breach notification of unsecured protected health information as required by section 13402 of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”