 |
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story March 12, 2010
Behind in Issuing HIPAA Regulations, HHS’s Office for Civil Rights May Delay Some Enforcement Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. Despite promises and best intentions, the HHS Office for Civil Rights has failed to issue regulations for many of the new privacy and security requirements contained in the HITECH Act that went into effect Feb. 17. As a result, covered entities and their business associates are “reading the tea leaves,” as one former government official and HIPAA expert told RPP, and grappling with many unanswered questions about the new mandates.
The delays also may mean that OCR will not be enforcing some of the new requirements for which the guidance and regulations have not been published. However, the agency recently issued a call for contractors to develop a program to educate and train state attorneys general on how to prosecute HIPAA violations, so CEs and BAs should expect stepped-up actions on the state level.
In a statement to RPP and in public speeches, OCR officials have given strong hints and suggestions that they will not be enforcing the new provisions that became effective Feb. 17, which cover everything from marketing prohibitions to business associate duties.
“It is not correct to characterize an ‘effective date’ for a legislative provision (which is what the Feb.17, 2010, date is for certain provisions of the HITECH Act) as the ‘enforcement date,’ ” OCR spokesman Mike Robinson told RPP. To confuse this terminology, Robinson says, would “suggest that OCR would ‘enforce’ the statutory changes in the absence of changes to the HIPAA regulations.” He declined to comment further.
Another OCR official left a similar impression on Feb. 18 at a meeting of the American Bar Association. During his presentation at the ABA’s Emerging Issues in Healthcare Law conference in Phoenix, Adam Greene, with OCR’s Office of General Counsel, indicated that OCR “was going to be reasonable in their enforcement efforts” related to new BA requirements, Bill Dillon, a privacy attorney in Tallahassee who was in attendance, told RPP.
More Hints of Non-Enforcement
“When people were asking about when guidance was coming out, and about additional regulations, just the tone of his statements did not seem like they were going to be enforcing [the new requirements] until there was additional guidance,” says Dillon, a partner with Messer, Caparello & Self, P.A.
Dillon also says Greene made a joke about having a different presentation in his briefcase that presumably would have described new regulations, which echoes comments that Sue McAndrew, OCR’s top HIPAA enforcement official, made about having to re-do her slides prior to her keynote address at a HIPAA meeting in Washington, D.C., earlier last month.
McAndrew acknowledged that she had “blissfully” promised in 2009 that a notice of proposed rulemaking (NPRM) would be issued for public comment before the end of last year to implement many of the HITECH Act changes.
Regulations May be Issued ‘Soon’
“That didn’t happen, and as a result I have had to rearrange my slide sets,” McAndrew said, joking that she hoped no one would throw vegetables at her. She said this “long-awaited suite of regulations” would be issued as an NPRM “hopefully soon enough to come out in final form in 2010.”
Regulations are typically issued as either proposed, interim final or final and have effective dates that are usually 30 to 90 days following release of a final rule. In some instances, rule formation can take several years from the proposed to the final version. OCR has issued some guidance and rules already.
Yet, the law is the law, so as of Feb. 17, CEs and BAs are subject to all of the new provisions specifically outlined in the HITECH Act that have that effective date. However, “if the regs come out and reshape or contort them, CEs and BAs won’t be subject to the specifics of the regulations or be subject to any action from OCR on the regs until the effective date of the regs,” says Jeffrey Drummond, a partner in the law firm of Jackson Walker LLP, based in Dallas.
OCR wouldn’t be the first agency — or the last — to issue regulations after the compliance date. But, says Washington, D.C., attorney Marcy Wilder, “the big difference [here is there are] big changes with significant liability. What we have is a statute that has gone into effect and regulations that have not been issued. Typically regulations of this type are issued prior to the effective date, and I am sure that was the department’s intention.”
Wilder, now a partner with Hogan & Hartson, was deputy general counsel at HHS and oversaw drafting of the privacy rule.
Without Regs, Make ‘Good Faith Effort’
“My clients are confused and they are hoping for some certainty. What we are required to do here is read tea leaves,” says Wilder. “It puts CEs and BAs in a difficult position of being subject to the law without clear guidance on how to comply and without a clear announcement that enforcement will be delayed.”
The biggest unknown seems to surround BA agreements, as CEs are left wondering whether to amend their BA agreements now or wait for regulations. The expectation is that guidance might include a model BAA, which CEs would like to see before they amend theirs or issue new ones, Dillon says.
CEs and BAs should forge ahead with compliance regardless, Wilder says. “Be sure you will be able to demonstrate a good-faith effort to comply.”
There can be no doubt, however, that the breach notification requirement is in effect, as OCR said it would impose penalties for breaches discovered and not reported as of Feb. 22. So, at a minimum, CEs and BAs must be ready to comply with this provision. “It is absolutely the case that the breach notification rules are in effect,” Wilder says.
OCR to Train AGs Beginning in June
Regardless of what OCR does or doesn’t do, there are other threats to CEs and BAs that don’t make good faith efforts to comply. The stronger, and perhaps more immediate, source of enforcement is state attorneys general, who won new authority to prosecute HIPAA violations under the HITECH Act. Last month saw the first ever state suit against a CE, brought by Connecticut Attorney General Richard Blumenthal against Health Net, Inc.
“Since the state attorneys general are able to enforce [HIPAA violations], and after what happened in Connecticut, everyone is worried,” says Dillon. “What I am trying to do is make sure that my clients understand the potential risk” of noncompliance, given AGs’ authority and the doubling of fines under the HITECH Act, Dillon says.
And while OCR might be backing off enforcement temporarily, it is taking steps to push state attorneys general to exercise their new authority. The agency will be doing a series of seminars to train AGs, RPP has learned.
HHS plans to award a contract “to provide technical support…for the development and conduct of training courses and related materials to educate staff from the offices of state attorneys general and others about the HIPAA privacy and security rules,” according to a government notice issued to solicit contractors.
AGs now have the authority to “bring an action on behalf of state residents to enjoin a defendant from further violation or to obtain damages, and such authority requires coordination between HHS and state AGs and provides HHS with the means to intervene in state actions,” the notice states. “To assist state attorneys general in their efforts to exercise their new enforcement authority and promote productive and effective enforcement relationships with them, OCR will develop and convene a series of training seminars focused on enforcement of the HIPAA privacy and security rules. OCR will also develop and make available the training in other modalities to ensure continuing access to the instruction.”
The notice says all “classroom training sessions” will take place at an unidentified “government training facility in S. Carolina,” with the first happening in June. |
| ||||||||
