It seems the crystal ball is clearing a bit...
HHS work plans and budgeting have been announced for the coming year, and here how things shake out, with some surprises, of course!
According to the work plan released January 20, 2012 (see http://www.regulations.gov/#!documentDetail;D=HHS-ASAM-2012-0002-0001), the Big HIPAA Update looks to be on track for release in March, and it includes finalization of the proposed privacy and security rule changes (business associates, disclosure restrictions, access, etc.), and finalization of the interim final enforcement and breach notification rules. It also includes the finalization of changes to HIPAA regarding CLIA (the Clinical Laboratory Information Act), which could have a significant impact on laboratory operations depending on the extent to which individuals would interact directly with labs.
Most of what's in this package should be pretty close to what's been proposed, but there may be some changes to the harm standard in the Brach Notification Rule. As a security purist, I'd say that the harm standard has to go, but as a healthcare information realist, I know that there needs to be something like the harm standard to temper breach notification, because the potential for needless notification of harmless releases under the HIPAA definitions is huge. We'll see what we get.
Probably the biggest surprise is that the expected date for release of final rules for the new Accounting of Disclosures is set to June of this year. This rule has potentially very significant impact on healthcare information operations, to say the least. I wasn't expecting to see a final rule on this until late 2012 at the earliest, based on past performance in the release of final rules. Well, heck, what with all the free time IT and HIM departments will have now that ICD-10 is being pushed back, there should be no problem implementing this, right? (Or, "no probs" as my daughters would say.) Well, at least we have until June to find out how the final rule will differ from the proposed one, which certainly generated its share of controversy. I do hope the implementation timelines are more realistic than those proposed.
The other interesting tidbit is that in the proposed 2013 White House budgets, enforcement of HIPAA has been specifically targeted for spending even though the budget for the Office for Civil Rights at HHS (the enforcers) is down about 5% through improvements in process and cost savings. The HHS Budget-in-brief is available at http://www.hhs.gov/budget/budget-brief-fy2013.pdf . It's kind of funny (but not in a ha-ha kind of way) that there is plenty of mention of the importance of enforcing the rules alongside a budget cut. But I think audits and enforcement are certainly here to stay.
So, stay tuned -- we should have some real regulations to dissect in weeks now. (How many times have I said that? Will I become the HIPAA guy who cried wolf too many times?)
In other news, NIST has released a new draft update of their Security Incident Handling Guide (SP 800-61 Rev 2), available at: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf . Hint: HHS lists lack of incident handling processes as one of its Top 5 security issues. Hint: Questions asked of entities in HIPAA security audits always include requests to see incident policies, procedures, and reports. Hint: Audits are on the increase. Hint: If you don't have a good incident handling process, now is the time to start, and this guide is a great way to start. Get the hint?
Please let me know if you have questions -- I'm always happy to help.