HealthDataManagementhas quoted Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services, OCR, as saying that the final rules implementing the HITECH Act are to be released within months, if not weeks. Deputy Director McAndrew recently spoke at the Safeguarding Health Information conference OCR hosted with the National Institute of Standards and Technology (NIST) in Washington.
The long-awaited rule will be an "omnibus regulation" that is said will include final versions of:
- the proposed rule to expand HIPAA privacy and security protections;
- the Breach Notification Interim Final Rule;
- the Enforcement and Compliance Interim Final Rule; and
- the GINA proposed rule.
Notably, McAndrew is quoted as saying:
We want to ensure that when we do the final HITECH action it contains as much activity as we can
Significantly, HealthDataManagement reports that the omnibus final rule will cover new information protection requirements for:
- business associates and subcontractors,
- electronic access,
- research authorizations,
- student immunization records,
- restrictions on marketing,
- restrictions on fundraising, and
- prohibition on sale of protected health information.
McAndrew is also noted to have indicated that a separate proposed rule will be issued after the omnibus regulation, and will govern accounting for disclosures (AOD) even for payment, treatment and health plan operations. McAndrew is quoted as saying that the AOD proposed rule is “very close” to being ready.