HIPAA Updates: What's the Hold Up?
Senator Frustrated By Overdue Privacy ProtectionsThe nation's lead HIPAA enforcer was on the hot seat at a Senate subcommittee hearing Nov. 9 when he was called to task for delays in issuing privacy and security regulatory updates mandated under the HITECH Act.
Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, heard passionate complaints about delays in modifications to the Health Insurance Portability and Accountability Act.
Rodriguez just took over the OCR leadership position in September, so the delays didn't come on his watch. But he missed a golden opportunity at the hearing when he refused to offer even a ballpark estimate about when a package of overdue regulations would be issued.
That prompted Sen. Al Franken, D- Minn., to quip, "Well, hurry up."
Franken chairs the Senate Judiciary Committee's subcommittee on privacy, technology and the law, which heard testimony from Rodriguez, a Justice Department representative and two privacy experts.
Under the HITECH Act, extensive modifications to HIPAA, including applying its privacy provisions to business associates, were supposed to be in effect by February 2010, one year after HITECH was enacted. The Office for Civil Rights issued a proposed HIPAA modification rule in July 2010, well past the deadline. Now, more than a year later, a final version is still pending.
OCR officials have been saying since last spring that they plan to issue the final HIPAA modifications rule as part of an omnibus package of regulations that also will include a final version of the HIPAA breach notification rule as well as privacy provisions under the Genetic Nondiscrimination Act. But given the opportunity, Rodriguez refused to offer a prediction of when that omnibus package would be released. "I can't give you a time frame," he told Sen. Franken.
Waiting Game
And Franken wasn't the only one who expressed frustration with the waiting game.
Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, testified that progress in carrying out HITECH mandates on privacy and security has been "agonizingly slow" and stressed "we really need the regs."
And Kari Myrold, privacy officer at Hennepin County Medical Center in Minneapolis, testified that HIPAA compliance would not improve until the final rules are in place and detailed guidance on how to comply with the rules is offered by federal authorities.
Franken stressed that electronic health records "give us a wonderful opportunity to harness information to make healthcare more effective." But he said that the full benefits of EHRs cannot be achieved until "patients are assured of their privacy."
McGraw sounded a similar theme in her written testimony: "Simply stated, the effort to promote widespread adoption and use of health IT to improve individual and population health will fail if the public does not trust it."
As co-chair of the Privacy and Security Tiger Team that's advising federal regulators, McGraw has been helping craft privacy guidelines, including safeguards for health information exchange. Her 17-page written testimony contains a wealth of ideas, including a call for Congress to require OCR and the Department of Justice to share far more details about their enforcement efforts. She also calls for OCR to provide more detailed guidance on applying encryption to protect data, offer stronger incentives to use encryption, or even enact an encryption mandate, such as for portable media and devices.
Myrold, the security officer at Hennepin County Medical Center, said the lack of updated HIPAA modifications is making her job far more difficult. She noted, for example, "Because we are still awaiting the final rule on this topic ... there is no shortage of parties still confused as to whether they are engaging in a business associate relationship."
Healthcare security officers from coast to coast share Myrold's frustration. It's good to see Sen. Franken helping call attention to the dangers associated with further delays in carrying out HITECH Act mandates. Let's hope the team at the Office for Civil Rights, under the direction of its new leader, finishes its work soon. That sure would make a nice Christmas present.