OCR Still Working On HITECH Rulemaking, Delays Enforcement of Certain Provisions
On March 18, 2010, the Office of Civil Rights (OCR) published an update on its rulemaking and enforcement efforts under the HITECH Act. OCR made clear that the increased civil monetary penalties for HIPAA violations and enforcement of the breach notification rule have been effective since February 17, 2010 and February 22, 2010, respectively.
However, OCR stated that it continues to work on a Notice of Proposed Rulemaking (NPRM) regarding the following HITECH provisions: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.
OCR noted that although the effective date for many of these provisions has passed (February 17, 2010), the NPRM and subsequent final rule will provide specific information regarding the expected date of compliance and enforcement for the new requirements.
Of particular interest in this rulemaking will be whether the OCR will require parties to affirmatively amend their business associate agreements to reflect the new privacy and security requirements with which business associates must directly comply, or whether the new provisions are already incorporated into the agreements by operation of law.
DGS will continue to monitor OCR’s HITECH rulemaking progress and will post updates as they are available.
