By Anna Kraus

The Department of Health and Human Services (HHS) has submitted to the Office of Management and Budget (OMB) the long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The OMB has up to 90 days to review the final rule.  If OMB takes the full 90 days for its review (which is what HHS expects) and does not extend the review period, the final rule should be released by the end of June 2012.

HHS is calling the rule an “omnibus” regulation because it will finalize four different rulemakings:

  1. the proposed rule issued in July 2010 implementing changes to the HIPAA Privacy and Security Rules mandated by the HITECH Act, as well as other changes;
  2. the interim final breach notification rule issued in August 2009;
  3. the interim final enforcement rule issued in October 2009; and
  4. the proposed rule issued in October 2009 implementing changes to the HIPAA Privacy Rule mandated by the Genetic Information Nondiscrimination Act.

The rule is not expected to address the proposed rule concerning the accounting of disclosures requirement under the HIPAA Privacy Rule, which HHS issued in May 2011.

As OMB reviews the rule, covered entities and business associates should take the time to ensure they are positioned to implement the changes expected in the regulations, which we have discussed in previous posts.  HHS has indicated that it will likely begin enforcing the final rule 180 days after it becomes effective.  We will continue to report on developments related to the final rule.  In the meantime, if you have any questions about proposed changes, please contact our health privacy team.