An OCR lawyer tells HealthLeaders Media the HIPAA privacy and security enforcer will release a proposed rule regarding business associate (BA) provisions in HITECH "shortly."
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to HealthLeaders that OCR's rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.
In response to Greene's statements at the conference, OCR tells HealthLeaders Media that covered entities and BAs must be in compliance with rules already published—including the interim final rule on breach notification. (OCR also published an interim final rule on enforcement, which includes greater civil and monetary penalties).
Mike Robinson of HHS News, which handles media inquiries for OCR, wrote in an e-mail that "OCR will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010."
He cited page 42756 of the Federal Register notice of the breach notification interim final rule.
No enforcement does not mean a break from compliance, however.
"I think it is important to remember that OCR may not be ready to enforce certain parts of the HITECH Act that were statutorily effective February 17, but this does not mean that lack of compliance is necessarily wise," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.