Dude, Where's My HIPAA Omnibus Rule?

Speaking at the Washington, D.C., Health Privacy Summit meeting in June, National Coordinator for Health IT Farzad Mostashari, M.D., said the final HIPAA Omnibus Rule would be released by the end of the summer.

Well, here we are in early autumn and there’s no sign of the final rule yet. The rule actually combines four separate rulemakings, including the changes to HIPAA privacy and security rules required under the HITECH Act; data breach enforcement and penalty requirements; regulations related to the HITECH Act's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act.

The rule’s publication has been held up several times already, the latest being in June, when the Office of Management and Budget (OMB) announced that it was delaying its release from a projected early July date to a future unspecified date.  Healthcare attorneys and compliance specialists have been left to speculate about what the hold-up is.

“While the delay may be as innocuous as OMB being too short staffed to handle its docket, it alternatively could suggest that the rule’s OMB approval is being held up on some policy matters,” writes Adam Greene, an attorney with Davis Wright Tremaine and former HHS employee. “The latter could indicate further changes from what was initially proposed in 2010.”

In a recent excellent blog post, Kirk Nahra, an attorney with Wiley Rein LLP, noted that HHS has been extremely busy with regulatory activity focused on healthcare reform, but he added that “there really is no explanation or any good excuse for why it has taken so long to issue these final privacy and security rules, particularly since Congress already did most of the work (for better or worse) in 2009.”

As summer gives way to fall, the announcement of the rule also runs into election season, which may provide another reason (or excuse) to delay in order to avoid any political blowback from issuing more regulations. But meanwhile, compliance and security officers are eagerly waiting. As Nahra points out, the final language around the data breach rule “will clearly be of enormous significance to the health care industry, its business partners and individuals across the country.”

The folk at consulting firm ID Experts decided to have some fun with the extended delay. They created a contest in which people are asked to guess the year, month, and day the Omnibus HIPAA & HITECH Rule is published in the Federal Register and the page count of the Final Rule as it is published to the Federal Register. The person closest to the right answer will have $2,500 donated in their name to the Wounded Warrior Project, a nonprofit that helps veterans in various ways transition to post-war life.