UPDATE: On June 22, OMB announced that it is extending its review of the HIPAA Final Regulations. Although the OMB generally has up to 90 days to review regulations, it may receive a 30 day extension issued by the Director or an indefinite extension issued by the head of the rulemaking agency. It is unclear at this time how long the review will be extended.
Director of the HHS Office of Civil RightsLeon Rodriguez warned today that the HIPAA enforcement agencies’ tolerance for noncompliance with HIPAA is “much, much lower” than in years past. Presenting at the Safeguarding Health Information: Building Assurance through HIPAA Security Conference in Washington, D.C. (co-hosted by OCR and the National Institute of Standards and Technology), Rodriguez made clear that expectations regarding HIPAA compliance by covered entities and their business associates is higher than before, particularly in light of the abundant guidance, tools, and assistance OCR and NIST have provided to covered entities over the years.
During his presentation, Rodriguez reported that the HITECH rule to modify HIPAA Privacy, Security and Enforcement Rules is “very close” to completion. He highlighted one of the rule’s major changes, namely, extension of HIPAA liability to business associates, and urged business associates to begin compliance efforts if they haven’t already. Rodriguez also cautioned that attorneys general may increasingly broaden their sights to include HIPAA enforcement for business associates.
Finally, Director Rodriguez discussed OCR’s audit program, designed to help OCR find and address weaknesses in protections for both paper and electronic information. He reported that the agency has found many vulnerabilities that the standard compliance program failed to identify and expects the audit program to become permanent going forward. Senior OCR advisor Linda Sanches commented that audits for 115 covered entities—selected from among 3.3 million covered entities in the nation—are in process. Initial reports from the first 20 audits suggest that most problems were found in the area of security protections. Contingency planning and user activity monitoring were also highlighted areas much in need of improvement. Sanches indicated that the OCR system for auditing business associates will likely go live in 2013. The audit criteria used for the initial audits will soon be available on OCR’s website and will be useful for mapping compliance efforts going forward.