HITECH Omnibus Rule Out by End of Summer
HealthDataManagement reports that the HITECH "Omnibus Rule" is due to be released by the end of the summer, according to Farzad Mostashari, the National Coordinator for Health Information Technology within the Office of the National Coordinator for Health Information Technology (ONC). The announcement was made during his keynote given at the 2nd International Summit on the Future of Heath Privacy last week. The two-day Summit brought together leading experts in health privacy, focusing on the privacy implications of the digitization and electronic exchange of health information.
The long-awaited Omnibus Rule, which would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA), was sent for review before publication to the Office of Management and Budget (OMB) at the end of March. Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions.
Of particular interest are regulations expected to clarify business associate liability, new restrictions on marketing and fundraising, and data breach enforcement and penalties, among others. A final regulation on the HITECH changes to the HIPAA Accounting of Disclosure requirements is also expected, although it is unclear whether it will be released part and parcel with the HITECH Omnibus Rule. The Proposed Accounting of Disclosures Rule was published for public comment in May of 2011.
During the keynote, Mostashari emphasized the importance of technical and cultural considerations to keep privacy protections at the center of ONC's efforts and activities, expanding the adoption of EHRs, and increasing public trust in electronic exchange of health information, saying,
"You can't get information exchange unless there's trust. We can't get a learning health system unless there's trust."
Mostashari noted that ONC is currently working with vendors to develop information system privacy functionalities "by design", with the goal of having privacy protections built into each information system, for example, encrypting personal identifiers when exchanging data. Stating that patients should never hear,
"Sorry, I can't give you your health records because of HIPAA",
Mostashari also noted the need for patients to be better educated on their privacy rights, in particular, how their information is used and how to submit complaints about violations or concerns, as well as for providers themselves to have a better understanding of their obligations under HIPAA.