Not ready to comply with HITECH? That’s OK, HHS isn’t ready to enforce it yet either
Government observers are well aware that there is a big difference between passing a provision in a piece of legislation, crafting the rules that implement the provision, and then putting those rules into effect. Where new requirements or regulatory responsibilities are placed on organizations, it is also fairly common for the effective dates of new rules to be delayed if it’s clear the entities subject to the regulation aren’t ready to comply. Familar examples of such delays and compliance deadline extensions include those for small businesses subject to Sarbanes-Oxley and, more recently, the multiple delays in the deadline for personal information protection requirements in Massachusetts’ 201 CMR 17. With these precedents, it is perhaps unsurprising that personnel from the HHS Office of Civil Rights (OCR) have indicated that OCR will not begin enforcing new security and privacy requirements in the HITECH Act that apply to business associates. With these rules — essentially a set of strengthened HIPAA privacy and security requirements that apply to a broader set of health industry participants and organizations — it seems the delay is warranted not just for the apparent lack of readiness of the organizations covered by the rules, but also by OCR’s uncertainty regarding the most reasonable and consistent approach to take on HIPAA enforcement. HITECH reset many of the standards and expectations for monitoring and auditing compliance, and for investigating violations.
On a tangential note, this situation highlights the difficulty with following implementation timelines dictated in legislation, often without any extensive consideration of the feasibility of meeting the timelines. So far, HHS has done a pretty good job of issuing regulations and promulgating standards (at least in draft form) on or ahead of the schedule contained in the HITECH Act. The timing of the announcement last week that Judy Pritts had joined ONC as its Chief Privacy Officer was also dictated by HITECH (the law says the appointment had to be made “not later than 12 months after the date of enactment”). It should be noted that the rules under HITECH are officially in effect, so the only delay is in their enforcement. To some this might seem a trivial distinction, but historically HIPAA enforcement has relied a great deal on voluntary monitoring, so the fact that business associates shouldn’t expect an auditor visit right away shouldn’t divert the attention from these organizations on putting the appropriate processes, practices, and technologies in place to comply with the law.