Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal.  IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records.  AP, San Francisco Chronicle (March 17, 2009).
• A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing).  This could result in a massive $22 billion reduction in drug and medical costs.  Government Health IT (March 17, 2009).
• Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry.  Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services.  According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology.   Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

• a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
• a graduate school of nursing or physician assistant studies;
• a consortium of two or more schools described above; or
• an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link