HIPAA Omnibus Rule goes to OMB
Nearly three years after the HITECH Act was passed, the Office for Civil Rights has sent the final HIPAA Omnibus Rule to the Office of Management and Budget for review, one of the last steps rqeuired before it can be published in the Federal Register.

The rule will enact provisions for the changes mandated under the HITECH Act and provide revisions to the HIPAA privacy, security, breach notification and enforcement rules, as well as the Genetic Information Nondiscrimination Act of 2008. The revisions could include eliminating or amending the “harm threshold” provision that currently enables covered entities to not report on breaches determined to not be harmful, making business associates and subcontractors liable for breaches as covered entities are, and requiring some degree of data encryption.

Business associates account for about 30 percent of the total number of breaches reported, but nearly 75 percent of the records potentially exposed, according to Mac McMillan, CEO of Austin, Texas-based health IT security firm CynergisTek, and co-chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force.