HHS issues proposed rule on accounting of PHI disclosures

Posted on June 1, 2011 by Steve Fox and Vadim Schick

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:

'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

You can view and download the proposed rule by clicking here.

  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , ,

Updated: Slides from Webinar on HIPAA Privacy and Security Rules

Posted on October 7, 2010 by Steve Fox and Vadim Schick

Post & Schell, in collaboration with Kroll Fraud Solutions, presented a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick highlighted the key provisions in the NPRM, including:

  • New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
  • Providing patients with e-copies of their PHI
  • Extension of HIPAA Privacy and Security Rules to business associates
  • Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:

  • Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
  • Reviewing current contractual agreements and relationships with business associates and their subcontractors
  • Training staff of the organization
  • Breach preparedness and breach response

You can view or download the slides from this presentation by clicking here.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , ,

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Steve Fox and Vadim Schick

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , , , , ,

CHIME comments on EHR certification NPRM

Posted on April 15, 2010 by Steve Fox and Vadim Schick

In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program.  While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market.  Via Healthcare IT News:

We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations," CHIME wrote. "The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.

CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.

CHIME called for:

  • Temporary process to be a provisional or interim one that builds on current certification strategies and is "harmonized" with the eventual permanent certification process. According to CHIME, certification process should be the responsibility of the vendor, and that the purpose of certification should be to provide healthcare providers and professionals with assurance that the product they are purchasing can help them achieve meaningful use.
  • More specificity in language to define what constitutes a self-developed EHR. Current wording in the regulation suggests that any complete EHR or EHR module that's modified by a healthcare provider or a contractor could require certification.
  • Changes in certification requirements be made only when they are necessary to meet meaningful use evolution or advance interoperability, not just because a certain amount of time has passed.
  • If CMS maintains the "adoption year" approach originally advanced in proposed regulations, providers should not be required to have products certified for capabilities not required in their current adoption year.
  • Individual EHR modules be certified to ensure that they can communicate according to adopted standards, and that the interoperability of those modules as used by providers be deemed as certified.
  • HIT vendors fully disclose functions for which their products are certified and fully disclose known compatibility issues.
  • In the event of a certification body losing its authority to certify products, vendors should have six months to recertify products, and providers should not be penalized for a change in a product's certified status if they are still able to demonstrate the meaningful use of the technology.

"CHIME raises concerns about EHR certification," Healthcare IT News (April 9, 2010).
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , , , ,