HIPAA Security Rule fails to materialize by deadline

Rule may be released sometime in February

The government did not deliver on its promise to publish the final Security Rule for HIPAA by the end of the year. This is the third delay, as publication deadlines in December 2001 and February and August 2002 came and went. The Department of Health and Human Services is now saying February 2003. But it's anyone's guess whether that deadline will hold.

"Managing expectations is a required skill for HIPAA implementations," said Jim Bloedau, president of Information Advantage Group, a San Francisco-based e-healthcare consulting firm.

The Security Rule addresses issues such as encryption of e-mail, firewalls, and password integrity. The DHHS has handed the rule off to the Office of Management and Budget, an office of the executive branch that reviews federal regulations for budgetary impact. The OMB usually reviews proposed regulations within 90 days. It anticipates publishing the final rule, along with any modifications to the Transactions and Code Set Standards, in February, according to Tracy Field, an attorney specializing in HIPAA issues at Arnall Golden Gregory in Atlanta.

Once the Security Rule is published, covered entities will have two years to comply with the security regulations. Small health plans will be given an additional 12 months to comply, said Kris Hughes, an attorney with Arlington, TX-based SG&A Consulting.