HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

Continue Reading...
Tags: , , , , , , , , , , , , , ,

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Posted on August 18, 2009 by Steve Fox and Vadim Schick

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Tags: , , , , , , , , , , ,

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: , , , , , , , , , , , , , , , , ,

Maryland awards $10M for CRISP, a health IT exchange

Posted on August 13, 2009 by Steve Fox and Vadim Schick

The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization.  Some of  the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP. 

According to the Baltimore Business Journal:

Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.

The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.

State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.

"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).

 

Tags: , , , , , , , , , , , ,

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

Continue Reading...
Tags: , , , , , , , , , , , ,

Sebelius shifts responsibility for HIPAA Security Rule enforcement to OCR

Posted on August 4, 2009 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS.  Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule.  Effective immediately, OCR is responsible for administering both Security  Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected."  This transfer of authority is not meant to create any disruption of current procedures.  Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

 

Tags: , , , , , , , , , ,