During 2011, informal indications were given by the HHS Office of Civil Rights (OCR) and various industry experts that the final HITECH Act regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, as of January 6, 2012, the regulations continue to be delayed, due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS. Reasons for the lengthy time period for the HITECH Act regulations include the numerous policy reviews conducted by HHS, and the need to formulate responses to many of the over 300 comments received in connection with the Proposed Rule published in the Federal Register on July 14, 2010 (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final HITECH Act regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication of the final regulations sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged, or whether revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards, to address a changing healthcare environment and evolving privacy and security threats. Further, OCR is currently in the process of conducting HIPAA privacy and security audits of covered entities, as required under HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates, under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.