Yesterday the Office of Management and Budget (OMB) website reported that it is extending its review of the final HIPAA privacy and security regulations mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) and enacted as part of the American Recovery and Reinvestment Act of 2009. The regulations, which HHS refers to as “omnibus” regulations because they will finalize four separate rulemakings, were set for release on June 22, 2012 – 90 days after OMB accepted them for economic and other impact review.
While OMB did not explain the reason for delay or how long the extension will last, there are two circumstances where such an extension is permitted. First, the Director of OMB can extend a review on a one-time basis for 30 days at his discretion. Second, the head of the rulemaking agency (in this case HHS) can request an extension for an indefinite period of time.
The OMB delay is especially frustrating given the yearlong delay to implement final changes to the HIPAA privacy and security regulations mandated by HITECH.
Congress enacted the privacy and security provisions of HITECH to close gaps in the HIPAA privacy and security rules and bolster public trust in the adoption of health information technology to improve individual and population health. The failure to finalize these regulations means that privacy continues to take a back seat just as the Administration is pushing on the accelerator for health IT adoption and health reform. Public support for health IT initiatives continues to be undermined by the Administration’s failure to deal with the public’s significant privacy concerns. In the meantime, providers continue to actively adopt electronic health records with federal tax dollars authorized by Congress without the benefit of the privacy protections that Congress recognized were important to build public and stakeholder trust in health IT.
CDT again calls on the Administration to issue the final HITECH privacy rules without further delay.