Office of Civil Rights (OCR) today confirmed it expects to release proposed rules regarding privacy and security provisions of HITECH, but still has not said when.
For the past couple of weeks, industry insiders have talked about an enforcement delay in HITECH provisions effective February 17 until OCR formally publishes rules regarding the provisions. OCR hadn't responded formally until today.
These provisions include:
"Although the effective date [February 17, 2010] for many of these HITECH Act provisions has passed, the [notice for proposed rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements," OCR wrote in the statement on its Web site.
Earlier this month, an OCR lawyer told HealthLeaders Media the HIPAA privacy and security enforcer will release a proposed rule regarding business associate provisions in HITECH "shortly."
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to HealthLeaders that OCR's rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.