The HITECH Omnibus final rule -“Fall” for IT

Posted by Gerry Blass

Download the JHIM PDF version of this article

See you in September 

That was a great song, first done by the Tempos in 1959 and then by the Happenings in 1966. So let’s use it as the theme for the current estimated timing for the publication of the HITECH Omnibus final rule. Of course, it could also be “Home for the Holidays”. In any event, we now know that the publication of the HITECH Omnibus final rule has been delayed yet again.  Does that mean that HIPAA-HITECH covered entities (CEs) and business associates (BAs) should take time off from preparing for it?  The answer is “no” because there are major updates coming with the potential for big impacts on the HIPAA privacy and security rules so the proper amount of time should be taken to get it right.

“The Only Constant is Change”

Most of us have heard this phrase: “the only constant is change”. That is certainly true with computer technology, and it is also true with HIPAA-HITECH, Meaningful Use, Health Information Exchanges, Accountable Care Organizations, and all of their related regulations. In addition, from a business standpoint, future reimbursement will be based on quality outcomes and preventive care. So we can all see that the business of healthcare providers, payers, clearinghouses and business associates will be constantly affected by change.

The upcoming Presidential election will no doubt have some impact on future strategy but the train has already left the station and the healthcare industry will continue to automate medical records and their exchange and continue to strive to improve health outcomes. No matter what happens with the elections, the way healthcare will be provided in the future will be dramatically different than the way it is delivered today.

With all of the above said, the one requirement that will never change is the need to protect health information privacy and security on all media in all environments and technologies. The HITECH Omnibus final rule will therefore need to address our changing healthcare environment and will no doubt continue to be updated over time.

The Starting Point – Policies and Procedures, and the NPP (Notice of Privacy Practices)

With each new or updated rule, CEs and BAs need to review and update existing polices and procedures, possibly add new ones, and train the workforce, including senior management. There will also most certainly be an impact on the current NPP. Try to hold off on updates to the NPP, if possible, until the Rule is published and then include all known changes at that time. The reason: CEs must provide their patients with a new NPP every time it is changed.

The 80-20 Rule

We have a good sense of what to expect from a high level and we can begin to prepare now.

CEs and BAs can use the 80-20 rule, and go for it. Here are some considerations:

  1. Review current policies, procedures and the notice of privacy practices  (NPP) for potential impact based on the proposed HITECH Omnibus rule (Rule).
  2. Prepare new draft policies and procedures and NPP that mitigate potential gaps as prep and fine-tune them when the Rule becomes final and published.
  3. CEs should begin to assess their business associates in risk order.
  4. BAs should implement a HIPAA – HITECH compliance program if they have not done so already.
  5. Information privacy and security risk assessments should be done/updated with a major focus on reducing the risk of breach.
  6. Implement a process to document and respond to incidents, including breaches.
  7. Conduct work force training and testing and include periodic privacy and security reminders along with a “stay tuned” message for the upcoming potential changes.
  8. Question HIT software vendors about their plans to meet the potential new HITECH requirements.
  9. Implement or budget and plan for technical and physical controls that reduce the risk of known vulnerabilities.
  10. Implement a process / tool for HIPAA – HITECH due diligence documentation and collaboration for your ongoing “culture of compliance”.


The federal government (OCR, etc.) has been listening to the healthcare industry regarding the impact of complying with multiple regulations at the same time. For example, effective dates have been extended for ICD-10 and Meaningful Use timelines. The impact of multiple regulations is overwhelming to organizations that have limited resources and tight budgets to address them. The fact, however, is that new and updated regulations will continue to be published, and healthcare organizations will continue to have a major challenge to implement them. Many organizations will need to hire third party organizations that have the expertise to help organizations find the best direction to address them. The key is to create a “culture of compliance” that addresses regulations in a steady consistent way so that significant progress is made over time.

Read more: The Importance Of Cybersecurity In Healthcare

About the Authors

Gerry Blass has over 35 years of experience in healthcare IT and compliance. Gerry provides IT and compliance consulting services and software called ComplyAssistant that automates the management and documentation of healthcare compliance activities. Gerry is the President & CEO of Blass Compliance LLC

Susan A Miller, JD has 40 years of professional leadership experience spanning teaching, biochemistry research and law. Since 2002, Susan has provided independent consultation and legal services to numerous healthcare entities including NIST and HHS.

Blass and Miller are co-founders of HIPAA 411, a linked-in group. 

Business Associates, HIPAA-HITECH, Information Security Risk Analysis, Information Security Risk Management, Meaningful Use, OMNIBUS