The HIPAA/HITECH Omnibus Rule that appeared in the January 25, 2013 Federal Register contained this cryptic and apparently contradictory statement:
DATES: Effective date: This final rule is effective on March 26, 2013.
Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.
What does it mean for the final rule to be effective today if covered entities and business associates are not required to comply for six more months?
Keep in mind that many of the provisions addressed in the Omnibus Rule were enacted by Congress in the HITECH Act and took effect on February 18, 2010, with some exceptions. The tiered and increased civil money penalty provisions of section 13410(d) were effective for violations occurring after the date HITECH was enacted, February 18, 2009. Accordingly, covered entities and business associates were obligated to comply in good faith with the statutory requirements except where the statute provided that it did not take effect until after publication of regulations.
HHS proposed a 180-day compliance period in its July 14, 2010 notice of proposed rulemaking, and has implemented that grace period in the final omnibus rule. The 180-day grace period was intended to give covered entities and business associates time to comply while best protecting the privacy and security of patient information, in accordance with the goals of the HITECH Act.
For breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule, through September 23, 2013, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. A cautious approach during the interim would be to analyze any unauthorized disclosure under both the old “subjective” standard and the new “four part” process, and err on the side of concluding that a disclosure is a reportable breach unless it passes both tests.
The gap between the “effective date” and the compliance date leaves some open issues. For example, the definition of “business associate” has been expanded by the omnibus rule to include new entities who “maintain” PHI such as cloud-based data storage companies and warehouse service providers. When do they become BA’s – March 26 or September 23? It appears that covered entities will not be required to have written agreements in place with these newly-designated BA’s until September 23, but it is not clear that such a BA that causes a breach of unsecured PHI during the gap period would not still be directly liable.
These remaining uncertainties offer a valid reason for covered entities, existing business associates and newly-added BA’s to prioritize the process of evaluating and updating their HIPAA/HITECH compliance efforts, starting with new BAA’s, Notices of Privacy Practices and Breach Notification policies. Procrastination is rarely a good strategy, and waiting until the last minute to comply with the omnibus rule could have costly unanticipated consequences