A Look at the Season’s Expected Rules
By Kevin Heubusch
PERHAPS ONE OF the biggest jobs related to implementing the ARRA provisions right now is keeping track of the moving parts. Publication of the act in 2009 was a kind of Big Bang—an ex- plosion of provisions that rocked the healthcare universe. Since then, however, the pieces have traveled at different speeds and in differing trajectories. By the end of the year, however, at least two major pieces hould come into view: a final rule on the privacy rule modifica- tions and a proposed rule on stage 2 of the meaningful use pro- gram. Other rules could accompany them, making this waiting period a good time to review the major regulations in motion.
ARRA directed the Federal Trade Commission to issue breach
notification regulations for noncovered entities, which it did in
August 2009. FTC issued a final rule, which became effective in
September, with full compliance beginning in February 2010.
The preceding day the Office for Civil Rights had issued a rule
related to covered entities, which followed the same dates. OCR,
however, has yet to publish a final rule.
The office did submit a final rule for internal review by the Office of Management and Budget in the spring of 2010, a standard
procedural step, but it withdrew the rule that July with little explanation.
One assumption has been that OCR would reconsider the
most controversial aspect of the interim rule, the “harm threshold,” which Congress had not specified in ARRA. The provision
allows an entity to forego notifying patients of breaches that it
deems unlikely to cause harm.
There also was speculation that OCR withdrew the rule in expectation that a more comprehensive law on breach notifica-
tion was coming from Congress. Such a law, however, has not
materialized to date. There is a possibility that OCR will release
a final rule when it publishes a final rule on other modifications
of the HIPAA privacy rule.
Following publication of the breach notification rule, nothing
further surfaced from OCR for nearly a year. In July 2010, however, the office published a proposed rule covering a variety of
privacy rule modifications called for in ARRA.
The changes have significant implications on HIM operations,
including expanded consumer rights to access and restrict disclosure of information. Business associates will be subject to the
same regulation under HIPAA as covered entities, as will their
subcontractors. Emerging entities such as health information
exchanges will be considered business associates.
Other ARRA changes expand the definition of electronic media, cover investigations and the application of civil money
penalties, and change authorization requirements related to
research. New restrictions apply to marketing and fund raising
and the sale of an individual’s protected health information.
It is not clear whether OCR will proceed directly to a final rule.
Given the complexity of some of the issues and amount of commentary that it requested, there is a possibility it could next issue an interim final rule, which would allow it to solicit another
round of comments and potentially make further changes when
issuing a final rule.
Once the final rule is published, covered entities and business
associates will have 180 days to comply. There will be an exception for updating business associate agreements under certain