Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights (OCR) indicated this week that various final regulations modifying the HIPAA privacy and security rules required by the Health Information Technology for Economic and Clinical Health Act (HITECH) will be issued soon. Health lawyers have been waiting on these regulations to better understand the full impact of the HITECH changes to HIPAA, including whether the "harm standard" will remain a part of the Interim Final Rule on breach notification.
According to a Health Information Security News article, McAndrew made this announcement this week while speaking at the 2011 NIST HIPAA Conference, Safeguarding Health Information: Building Assurance through HIPAA Security, held in Washington.
The article also indicated that a separate NPRM will be issued announcing the approach OCR plans to take regarding the accounting for disclosure modifications under the HITECH Act. The HITECH Act modified the traditional rule regarding those types of uses and disclosures that must be accounted for by health care providers and covered entities. Under the traditional rule -- health care providers did not have to provide an accounting of disclosure for uses and disclosures for treatment, payment, and health care operations. However, the modification by the HITECH Act now requires health care providers who utilize an electronic health record system (EHR)to provide, upon request, an accounting of disclosure of all uses and disclosures including those for treatment, payment, and health care operations which occurred within the last three year period. Of further interest will be how the NPRM suggests how business associates who obtain PHI from health care providers must also track and maintain a list of uses and disclosures for accounting of disclosure requests.