Several health care industry organizations and stakeholders have commented on HHS' newly released final omnibus rule, which includes four final rules that expand and update HIPAA provisions.
The rules -- called for under the 2009 federal economic stimulus package's HITECH Act and the Genetic Information Nondiscrimination Act -- implement tougher privacy and security provisions to protect patient data (iHealthBeat, 1/18).
Summaries of the comments are provided below.
Comments From Expert at American Academy of Family Physicians
Renae Moch -- practice management strategist at the American Academy of Family Physicians -- in an email said the final omnibus rule "strengthens patient privacy and security protections that were established" under HIPAA.
Moch added that the rule is expected to:
- Increase the workability and flexibility of patient privacy protections;
- Decrease burdens on health care providers; and
- Better standardize requirements for covered entities.
Comments From Experts at American Health Information Management Association
Angela Rose -- director of health information management practice excellence at the American Information Management Association -- in a phone interview said that the health data management industry is "breathing a sigh of relief" about the release of the omnibus rule, which has been anticipated since 2009.
"Now we can hit the ground running" to respond to the new rule, Rose said (Struck, MedPage Today, 1/21).
Harry Rhodes -- director of health information management solutions at AHIMA -- said he expects the new breach notification provisions of the omnibus rule to change how covered entities and their business associates assess data breaches.
"Instead of looking at whether there is old information on a lost tape that could cause individuals financial or reputational harm, the assessment would look at the likelihood that the information could even be accessed or whether it was found in a timely manner," he said (Kolbasuk McGee, GovInfoSecurity, 1/21).
Comments From Expert at Center for Democracy & Technology
Deven McGraw -- a lawyer who leads the Health Privacy Project at the Center for Democracy & Technology -- said she liked the omnibus rule's marketing provisions, which require patients to provide consent before third parties can use their health data to send them marketing information.
She said that requiring such patient consent is "huge for consumers" (Conn, Modern Healthcare, 1/18).
Comments From Medical Group Management Association
The Medical Group Management Association has said that it supports the final omnibus rule's "comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information." However, MGMA said that such privacy and security safeguards should be:
- Practical;
- Affordable; and
- Flexible.
MGMA also expressed concern about whether medical practices would be able to implement changes related to the final omnibus rule "within the short time frames allotted" (Health Data Management, 1/18).
Comments From Other Experts, Stakeholders
Other experts and stakeholders offered comments on the final omnibus rule, including:
- Kate Borten -- president of the IT security consulting firm The Marblehead Group -- who said that the rule will help reduce uncertainty about what types of data breaches require notification (GovInfoSecurity, 1/21);
- David Holland -- vice president and CIO at Southern Illinois Healthcare -- who said that the omnibus rule will improve health care providers' ability to maintain patient trust (Bowman, FierceHealthIT, 1/18);
- Katherine Keefe -- head of Beazley Breach Response Services -- who said that she thinks the final omnibus rule "will make covered entities and business associates more skittish" about data breaches because the federal government will have more leeway to define an incident as a reportable data breach (Modern Healthcare, 1/18);
- Joseph Kvedar -- director of Partners HealthCare's Center for Connected Health in Boston -- who said that the new omnibus rule could create certain challenges because "the more privacy we have, the less data liquidity" we have;
- Todd Richardson -- vice president and CIO of the Wisconsin-based health system Aspirus -- who said that the new omnibus rule underscores the challenges facing the health IT industry, which is striving to facilitate the exchange of patient data while protecting patient privacy; and
- Donna Staton -- CIO at Virginia-based Fauquier Health -- who praised the omnibus rule for increasing scrutiny on business partners and contractors but wondered how the rule would affect health data exchanges and population health management initiatives (FierceHealthIT, 1/18).