Dude, Where's My HIPAA Omnibus Rule?

June 25, 2013
The HIPAA Omnibus Rule's publication has been held up several times already, leaving healthcare attorneys and compliance specialists to speculate about the cause of the delay. Speaking at the Washington, D.C., Health Privacy Summit meeting in June, National Coordinator for Health IT Farzad Mostashari, M.D., said the final HIPAA Omnibus Rule would be released by the end of the summer.

Speaking at the Washington, D.C., Health Privacy Summit meeting in June, National Coordinator for Health IT Farzad Mostashari, M.D., said the final HIPAA Omnibus Rule would be released by the end of the summer.

Well, here we are in early autumn and there’s no sign of the final rule yet. The rule actually combines four separate rulemakings, including the changes to HIPAA privacy and security rules required under the HITECH Act; data breach enforcement and penalty requirements; regulations related to the HITECH Act's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act.

The rule’s publication has been held up several times already, the latest being in June, when the Office of Management and Budget (OMB) announced that it was delaying its release from a projected early July date to a future unspecified date.  Healthcare attorneys and compliance specialists have been left to speculate about what the hold-up is.

“While the delay may be as innocuous as OMB being too short staffed to handle its docket, it alternatively could suggest that the rule’s OMB approval is being held up on some policy matters,” writes Adam Greene, an attorney with Davis Wright Tremaine and former HHS employee. “The latter could indicate further changes from what was initially proposed in 2010.”

In a recent excellent blog post, Kirk Nahra, an attorney with Wiley Rein LLP, noted that HHS has been extremely busy with regulatory activity focused on healthcare reform, but he added that “there really is no explanation or any good excuse for why it has taken so long to issue these final privacy and security rules, particularly since Congress already did most of the work (for better or worse) in 2009.”

As summer gives way to fall, the announcement of the rule also runs into election season, which may provide another reason (or excuse) to delay in order to avoid any political blowback from issuing more regulations. But meanwhile, compliance and security officers are eagerly waiting. As Nahra points out, the final language around the data breach rule “will clearly be of enormous significance to the health care industry, its business partners and individuals across the country.”

The folk at consulting firm ID Experts decided to have some fun with the extended delay. They created a contest in which people are asked to guess the year, month, and day the Omnibus HIPAA & HITECH Rule is published in the Federal Register and the page count of the Final Rule as it is published to the Federal Register. The person closest to the right answer will have $2,500 donated in their name to the Wounded Warrior Project, a nonprofit that helps veterans in various ways transition to post-war life. 

Sponsored Recommendations

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...

Quantifying the Value of a 360-Degree view of Healthcare Consumers

To create consistency in how consumers are viewed and treated no matter where they transact, healthcare organizations must have a 360° view based on a trusted consumer profile...

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow