Last Friday the Office of National Coordinator for Health Information Technology (ONC) issued a final rule providing the details on how organizations can be authorized by ONC to test and certify EHR technology. ONC discusses the details the Temporary Certification Program.
Certification is important because the Medicare and Medicaid EHR incentives under HITECH require the use of certificate EHR technology for eligible hospital and providers to recieve payments under the incentive program.
For more information check out the Temporary Certification Program information on the ONC Health IT website, including a link to a complete copy of the Temporary Certification Program Final Rule.
More information from Government Health IT, ONC launches health IT certification program and iHealthBeat, ONC To Start Accepting Bids for Entities to Certify EHR Products.
UPDATE (6/24/2010): The official Federal Register version of the Final Rule is now available: 45 CFR Part 170, Establishment of the Temporary Certification Program for Health Information Technology; Final Rule (75 Fed. Reg. 36158, June 24, 2010). The Final Rule is effective on June 24, 2010.
Showing posts with label HITECH. Show all posts
Showing posts with label HITECH. Show all posts
Monday, June 21, 2010
Monday, May 3, 2010
OCR Request for Information: HIPAA Privacy Rule Accounting of Disclosures under HITECH
Today the Office for Civil Rights (OCR), Department of Health and Human Services issued a Request for Information titled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (75 Fed Reg 23214 May 3, 2010). More information at the OCR website.
The Request for Information by OCR seeks comments from health consumers and health care providers/organizations. OCR seeks information on the following areas:
* Understanding the interests of individuals (health consumers) with respect to learning of such disclosures; and
* The administrative burden on covered entities (health care providers/organizations) and business associates of accounting for such disclosures.
The Request for Information states that Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act expands an individual’s right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, section 13405(c) of the HITECH Act requires that the HIPAA Privacy Rule be amended to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.
The Request for Information requests specific comments on the following nine questions:
1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?
2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?
5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure— i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute ‘‘health care operations?’’ On what do you base this assessment?
6. For existing electronic health record systems:
(a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the sharing of information between a hospital and physicians who are on the hospital’s medical staff but who are not members of its workforce.
(b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what information is recorded? How long is such information retained? What would be the burden to retain the information for three years?
(c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure?
(d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is such a feature being utilized and what are its benefits and drawbacks?
(e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different
departments maintain different electronic health record systems and an accounting of disclosures for treatment,
payment, and health care operations would need to be tracked for each system)?
(f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care
operations)?
i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance?
ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system?
7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature?
8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
9. Is there any other information that would be helpful to the Department regarding accounting for disclosures
through an electronic health record to carry out treatment, payment, and health care operations?
Written comments to OCR must be submitted on or before May 18, 2010.
The Request for Information by OCR seeks comments from health consumers and health care providers/organizations. OCR seeks information on the following areas:
* Understanding the interests of individuals (health consumers) with respect to learning of such disclosures; and
* The administrative burden on covered entities (health care providers/organizations) and business associates of accounting for such disclosures.
The Request for Information states that Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act expands an individual’s right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, section 13405(c) of the HITECH Act requires that the HIPAA Privacy Rule be amended to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.
The Request for Information requests specific comments on the following nine questions:
1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?
2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?
3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?
4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?
5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure— i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute ‘‘health care operations?’’ On what do you base this assessment?
6. For existing electronic health record systems:
(a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the sharing of information between a hospital and physicians who are on the hospital’s medical staff but who are not members of its workforce.
(b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what information is recorded? How long is such information retained? What would be the burden to retain the information for three years?
(c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure?
(d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is such a feature being utilized and what are its benefits and drawbacks?
(e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different
departments maintain different electronic health record systems and an accounting of disclosures for treatment,
payment, and health care operations would need to be tracked for each system)?
(f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care
operations)?
i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance?
ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system?
7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature?
8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?
9. Is there any other information that would be helpful to the Department regarding accounting for disclosures
through an electronic health record to carry out treatment, payment, and health care operations?
Written comments to OCR must be submitted on or before May 18, 2010.
Thursday, March 18, 2010
OCR Update on Issuance of HIPAA HITECH Rulemaking
Update from Office for Civil Rights (OCR) on issuance of the Notice of Proposed Rulemaking (NPRM) implementing changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH). Health care organizations and health lawyers have been anxiously awaiting rules implementing and interpreting the changes because the effective date for many of the HITECH requirements was February 17, 2010. Of particular interest has been whether or not health care organizations are required to amend business associate agreement.
The notice seems to indicate that the the date for compliance and enforcement may be delayed since it states that the NPRM "will provide specific information regarding the expected date of compliance and enforcement." However, covered entities and business associates need to weigh the risks of not complying with the new requirements while waiting for further clarification from OCR.
The notice states:
The notice seems to indicate that the the date for compliance and enforcement may be delayed since it states that the NPRM "will provide specific information regarding the expected date of compliance and enforcement." However, covered entities and business associates need to weigh the risks of not complying with the new requirements while waiting for further clarification from OCR.
The notice states:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.
However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.
Monday, March 1, 2010
HITECH Law Blog
A warm welcome to fellow AHLA member and health law blogger, Kathie McDonald-McClure.
I just ran across her blog, HITECH Law Blog. She focuses the blog on health information technology, privacy and security and the blog was named after the HITECH Act. Looks like a great addition to the health law blogosphere.
Ms. McDonald-McClure is a member of the Health Care Services Team at Wyatt Tarrant & Combs, LLP in Louisville, KY.
I just ran across her blog, HITECH Law Blog. She focuses the blog on health information technology, privacy and security and the blog was named after the HITECH Act. Looks like a great addition to the health law blogosphere.
Ms. McDonald-McClure is a member of the Health Care Services Team at Wyatt Tarrant & Combs, LLP in Louisville, KY.
Sunday, February 14, 2010
AIS Report on Patient Privacy: Analysis of Willful Neglect Under HITECH
Recently I was interviewed for a story focused on the changes to the HIPAA civil penalty enforcement under the HITECH Act.
The article, Willful Neglect Is Difficult to Pin Down, but Can Result in Enormous HIPAA Penalties, appears in the Report on Patient Privacy: Practical News and Strategies for Complying with HIPAA, Volume 10, Number 2 February 2010 published by Atalantic Information Services, Inc. (AIS). The article discusses the definition and interpretation of "willful neglect" under the HIPAA penalty provisions. Health care privacy officers should find this article helpful in better understanding their role and responsibility in overseeing privacy compliance efforts.
The full story was reprinted on AIS Health Business Daily website.
The article, Willful Neglect Is Difficult to Pin Down, but Can Result in Enormous HIPAA Penalties, appears in the Report on Patient Privacy: Practical News and Strategies for Complying with HIPAA, Volume 10, Number 2 February 2010 published by Atalantic Information Services, Inc. (AIS). The article discusses the definition and interpretation of "willful neglect" under the HIPAA penalty provisions. Health care privacy officers should find this article helpful in better understanding their role and responsibility in overseeing privacy compliance efforts.
The full story was reprinted on AIS Health Business Daily website.
Saturday, February 13, 2010
WV HIT Funding Under HITECH: WVHIN Gets $7.8M and WV REC gets $6M
Health and Human Services Secretary Sebelius and the National Coordinator for Health Information Technology, David Blumenthal, announced the HITECH funding under the ARRA for State Health Information Exchanges (HIEs) and Regional Extension Center (RECs) across the country.
The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.
West Virginia will receive the following funding:
The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.
West Virginia will receive the following funding:
- West Virginia Department of Health and Human Resources in conjunction with the West Virginia Health Information Network HIE Award: $7,819,000
- West Virginia Health Improvement Institute, Inc. REC ward:$6,000,000
Thursday, January 14, 2010
State Attorney General HIPAA HITECH Enforcement
My health law colleague, David Harlow, covers the news today on the first HIPAA enforcement action taken by a state attorney general under the new HITECH provision of American Recovery and Reinvestment Act of 2009 (ARRA).
David's post, HIPAA enforcement by state attorney general: The shape of things to come, provides a good summary of the announcement by the Connecticut Attorney General. More information via the Connecticut Attorney General press release.
The lawsuit filed by the Connecticut Attorney General Richard Blumenthal (coincidentally brother of David Blumenthal, National Coordinator of Health Information Technology) alleges that a health insurer, Health Net of Connecticut, Inc., failed to promptly notify the AG and other officials of a missing portable computer disk drive that contained unencrypted protected health information, Social Security numbers and bank accounts for approximately 446,000 individuals. The lawsuit also named UnitedHealth Group Inc. and Oxford Health Plans, LLC who acquired ownership of Health Net of Connecticut. The action also seeks a court order against Health Net to encrypt all information held on electronic devices.
Since the early days of HIPAA implementation and compliance there has largely been a lack of real enforcement efforts. The new provisions under HITECH allowing state attorney generals to file HIPAA enforcement actions on behalf of the public bring a new era of enforcement against health care providers who are unfortunate to have a health data breach and fail to properly respond to such breach in a timely manner.
David offers some good advice and takeaway points to health care providers and others who regularly handle health information. It is not enough to have policies and procedures in place but to regularly monitor whether they are being followed. Today's health data is liquid and it can flow in many directions. Providers need to understand where and how data is stored, used and transferred.
David's post, HIPAA enforcement by state attorney general: The shape of things to come, provides a good summary of the announcement by the Connecticut Attorney General. More information via the Connecticut Attorney General press release.
The lawsuit filed by the Connecticut Attorney General Richard Blumenthal (coincidentally brother of David Blumenthal, National Coordinator of Health Information Technology) alleges that a health insurer, Health Net of Connecticut, Inc., failed to promptly notify the AG and other officials of a missing portable computer disk drive that contained unencrypted protected health information, Social Security numbers and bank accounts for approximately 446,000 individuals. The lawsuit also named UnitedHealth Group Inc. and Oxford Health Plans, LLC who acquired ownership of Health Net of Connecticut. The action also seeks a court order against Health Net to encrypt all information held on electronic devices.
Since the early days of HIPAA implementation and compliance there has largely been a lack of real enforcement efforts. The new provisions under HITECH allowing state attorney generals to file HIPAA enforcement actions on behalf of the public bring a new era of enforcement against health care providers who are unfortunate to have a health data breach and fail to properly respond to such breach in a timely manner.
David offers some good advice and takeaway points to health care providers and others who regularly handle health information. It is not enough to have policies and procedures in place but to regularly monitor whether they are being followed. Today's health data is liquid and it can flow in many directions. Providers need to understand where and how data is stored, used and transferred.
Thursday, December 31, 2009
CMS and ONC Issue Rules on Proposing a Definition of Meaningful Use and Setting Standards for EHR Incentive Program
Yesterday the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued two regulations laying the foundation for improving quality, efficiency and safety through meaningful use of certified electronic health record (EHR) technology.
The two regulations are part of the implementation of the EHR incentive programs for physicians and hospitals enacted under the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). CMS issued a proposed rule outlining the
For more details see the following CMS Press Release. Also, CMS has issued Fact Sheets on the proposed regulations:
The two regulations are part of the implementation of the EHR incentive programs for physicians and hospitals enacted under the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). CMS issued a proposed rule outlining the
For more details see the following CMS Press Release.
- CMS Proposes Requirements for the Electronic Health Records (EHR) Medicaid Incentive Payment Program
- CMS Proposed Requirements for the Electronic Health Records (EHR) Medicare Incentive Program
- CMS Proposes Definition of Meaningful Use of Certified Electronic Health Records (EHR) Technology
Medicare and Medicaid Programs; Electronic Health Record Incentive Program
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Proposed rule.
SUMMARY: This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology. The proposed rule would specify the-- initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements. Also, as required by ARRA the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule that specifies the Secretary’s adoption of an initial set of standards, implementation, specifications, and certification criteria for electronic health records. ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.
Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology
AGENCY: Office of the National Coordinator for Health Information Technology,
Department of Health and Human Services.
ACTION: Interim final rule.
SUMMARY: The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.
Tuesday, December 22, 2009
Lorman Medical Records Law Seminar: March 18, 2010
On March 18, 2010 I will be speaking on Medical Records Law at a seminar in Charleston, West Virginia. The seminar is sponsored by Lorman Educational Services. Joining me for the day long seminar will be three very knowledgeable health care colleagues:
- Michael T. Harmon, MPA, CIPP/G, Compliance Specialist for the West Virginia Mutual Insurance Company, a Medical Professional Liability Insurance Company
- Sallie H. Milam, J.D., CIPP/G, Executive Director of the West Virginia Health Information Network and Chief Privacy Officer for the West Virginia State Government
- James W. Thomas, Esq., Manager of the Charleston, West Virginia Business Law Department of Jackson Kelly PLLC whose practice focuses primarily upon health care matters of a business, regulatory and operational nature
| 8:30 am – 9:00 am | Registration | ||
| 9:00 am – 9:15 am | Overview | ||
| 9:15 am – 10:30 am | HIPAA Compliance: Reality and Perspective | ||
| — Michael T. Harmon, MPA, CIPP/G | |||
| |||
| 10:30 am – 10:45 am | Break | ||
| 10:45 am – 12:00 pm | HITECH Financial Incentives for Implementation of HIT | ||
| — James W. Thomas, Esq. | |||
| |||
| 12:00 pm – 1:00 pm | Lunch (On Your Own) | ||
| 1:00 pm – 2:00 pm | Health Information Exchange in West Virginia: Impact on Patient Records | ||
| — Sallie H. Milam, J.D., CIPP/G | |||
| 2:00 pm – 2:15 pm | Break | ||
| 2:15 pm – 3:30 pm | Consumer Driven Health Care: HITECH, Health 2.0, Social Media and Personal Health Records | ||
| — Robert L. Coffield, Esq. | |||
| |||
| 3:30 pm – 4:30 pm | Panel Discussion | ||
| — Robert L. Coffield, Esq., Michael T. Harmon, MPA, CIPP/G, Sallie H. Milam, J.D., CIPP/G and James W. Thomas, Esq. |
Tuesday, November 3, 2009
Federal Advisory Committee Blog (FACA Blog)
The Office of the National Coordinator for Health Information Technology (ONCHIT) has launched a new blog called the Federal Advisory Committee Blog (FACA Blog).The initial post by Judy Sparrow discusses that the FACA Blog will be uses in a spirit of transparency and collaboration to help open a broader dialogue on the issues before the Health IT Standards Committee and the Health IT Policy Committee. The post also provides some background on the role that Federal Advisory Groups play under the Federal Advisory Committee Act.
The second post by Aneesh Chopra, Federal Chief Technology Officer, spells out the planned process for an open conversation that will take place over the next couple of weeks with various committee members blogging about a variety of topics (Proposed Standards, Interoperability, Vocabularies, Privacy, Security, Quality, Implementation Cases Studies).
The FACA Blog allows individuals to share public comments on each post and has an RSS feed. Great to see ONCHIT using a blog platform to quickly and efficiently distribute information about the ongoing work being done by the committees to further the health information technology efforts under HITECH.
Monday, November 2, 2009
HIPAA Enforcement Meets HITECH: HIPAA Administrative Simplification: Enforcement Rule
On October 30, 2009, the Secretary of the Department of Health and Human Services (HHS) issued the HIPAA Administrative Simplification: Enforcement Interim Final Rule, 45 CFR Part 160 (74 Federal Register 56123, October 30, 2009).
This new rule was developed and adopted by HHS to conform the enforcement regulations under HIPAA to the revisions made to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The rule amends the HIPAA enforcement regulations to include the imposition of tiered ranges for civil money penalty amounts based upon an increasing culpability associated with the violation. A full chart of the violation categories and related amounts can be found in the rule.
The interim final rule is effective on November 30, 2009. Comments on the rule can be made prior to December 29, 2009.
This new rule was developed and adopted by HHS to conform the enforcement regulations under HIPAA to the revisions made to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The rule amends the HIPAA enforcement regulations to include the imposition of tiered ranges for civil money penalty amounts based upon an increasing culpability associated with the violation. A full chart of the violation categories and related amounts can be found in the rule.
The interim final rule is effective on November 30, 2009. Comments on the rule can be made prior to December 29, 2009.
Monday, October 5, 2009
Congressional Members Concerned About HHS Inclusion of "Harm Standard" In Breach Notification Rule
Members of the U.S. House of Representative submitted an October 1, 2009 letter of concern to Secretary Sebelius and the Department of Health and Human Services (HHS) concerning inclusion of a "harm standard" in the recently released(August 24, 2009) Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740.
HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.
The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.
Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.
HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.
The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.
Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.
ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect
Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
- OCR Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740 (Aug 24, 2009).
- OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).
- Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Thursday, September 10, 2009
West Virginia's Statewide Health Information Technology Strategic Plan
Over the past several months I have been involved with a group in developing West Virginia's statewide strategic plan for health information technology.
The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.
The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.
The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.
The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.
The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.
The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.
Thursday, August 20, 2009
OCR Designates HIPAA Regional Office Privacy Advisors
The Acting Director and Principal Deputy Director for the Office for Civil Rights, Robinsue Frohboese, has designated Office for Civil Rights Regional Managers in each of the HHS Regional Offices to serve as the Regional Office Privacy Advisors. On July 27, 2009, Secretary Sebelius authorized the Director of the Office for Civil Rights to carry out the designation required under the Health Information Technology for Economic and Clinical Health (HITECH) Act (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).
The designation of these Regional Office Privacy Advisors was mandated by the ARRA-HITECH provisions under Section 13403(a). The Regional Office Privacy Advisors will offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules
The names, addresses, and contact information for each of the Regional Managers are listed together with a list of the States for which each Regional Manager has responsibility are listed below:
Region I - Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F. Kennedy Federal Building - Room 1875
Boston, MA 02203
Voice phone(617)565-1340
FAX (617)565-3809
TDD (617)565-1343
The designation of these Regional Office Privacy Advisors was mandated by the ARRA-HITECH provisions under Section 13403(a). The Regional Office Privacy Advisors will offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules
The names, addresses, and contact information for each of the Regional Managers are listed together with a list of the States for which each Regional Manager has responsibility are listed below:
Region I - Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F. Kennedy Federal Building - Room 1875
Boston, MA 02203
Voice phone(617)565-1340
FAX (617)565-3809
TDD (617)565-1343
Region II - New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Michael Carter, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza - Suite 3312
New York, NY 10278
Voice Phone (212)264-3313
FAX (212)264-3039
TDD (212)264-2355
Region III - Philadelphia (Delaware, District of Columbia, Maryland, Pennsylvania, Virginia, West Virginia)
Paul Cushing, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
Main Line (215)861-4441
Hotline (800) 368-1019
FAX (215)861-4431
TDD (215)861-4440
Region IV - Atlanta (Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, Tennessee)
Roosevelt Freeman, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Atlanta Federal Center, Suite 3B70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Voice Phone (404)562-7886
FAX (404)562-7881
TDD (404)331-2867
Region V - Chicago (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)
Valerie Morgan-Alston, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Voice Phone (312)886-2359
FAX (312)886-1807
TDD (312)353-5693
Region VI - Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Ralph Rouse, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (214)767-4056
FAX (214)767-0432
TDD (214)767-8940
Region VII - Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
601 East 12th Street - Room 248
Kansas City, MO 64106
Voice Phone (816)426-7277
FAX (816)426-3686
TDD (816)426-7065
Region VIII - Denver (Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming)
Velveta Howell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1961 Stout Street -- Room 1426 FOB
Denver, CO 80294-3538
Voice Phone (303)844-2024
FAX (303)844-2025
TDD (303)844-3439
Region IX - San Francisco (American Samoa, Arizona, California, Guam, Hawaii, Nevada)
Michael Kruley, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Voice Phone (415)437-8310
FAX (415)437-8329
TDD (415)437-8311
Region X - Seattle(Alaska, Idaho, Oregon, Washington)
Linda Yuu Connor, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
2201 Sixth Avenue - M/S: RX-11
Seattle, WA 98121-1831
Voice Phone (206)615-2290
FAX (206)615-2297
TDD (206)615-2296
Monday, May 18, 2009
ONC Releases HIT ARRA Implementation Plan
The Office of the National Coordinator for Health Information Technology (ONC) has released an operating plan titled the Health Information Technology American Recovery and Reinvestment Act (ARRA) Implementation Plan.
The operating plan is included on the DHHS Agency Wide Plan page under the "List of Recovery Programs within HHS."
The operating plan outlines immediate actions to meet statutory requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the ARRA. The
The topic headings for the operating plan include:
A. Funding Table
B. Objectives
C-E. Activities, Characteristics and Delivery Schedules
F. Environmental Review Compliance
G. Measures
H. Monitoring/Evaluation
I. Transparency
J. Accountability
K. Barriers to Effective Implementation
L. Federal Infrascructure Investment
Thanks to Jim Tate (@jimtate) and John Chilmark (@john_chilmark) for pointing out the report.
The operating plan is included on the DHHS Agency Wide Plan page under the "List of Recovery Programs within HHS."
The operating plan outlines immediate actions to meet statutory requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the ARRA. The
The topic headings for the operating plan include:
A. Funding Table
B. Objectives
C-E. Activities, Characteristics and Delivery Schedules
F. Environmental Review Compliance
G. Measures
H. Monitoring/Evaluation
I. Transparency
J. Accountability
K. Barriers to Effective Implementation
L. Federal Infrascructure Investment
Thanks to Jim Tate (@jimtate) and John Chilmark (@john_chilmark) for pointing out the report.
Wednesday, May 6, 2009
Update On HIT Policy and Standards Committees
Last week the Federal Register (April 29, 2009) contained a Notification of the Establishment of the HIT Policy Committee and HIT Standards Committee. I had previously posted about the creation of these committee and recommended suggested members.
More information will be made available via the "new" Health Information Technology website of the Office of the National Coordinator.
The summary of the notice on establishing the HIT Policy Committee states:
The summary of the notice on establishing the HIT Standards Committee states:
UPDATE (5/7/09): Brian Ahier (@ahier) provides the latest update on with information on the first meetings of the HIT Policy Committee on May 11 and HIT Standards Committee meeting on May 15. Brian also provides links to the announcment by the GAO of 13 of the members of the HIT Policy Committee.
The announcment includes a list of the 13 members appointed by the Acting Comptroller General covering 10 different categories:
Advocates for Patients or Consumers
1. Christine Bechtel, Washington, D.C. (3 year term)
Vice President, National Partnership for Women & Families
2. Arthur Davidson, M.D., Denver Colorado (2 year term)
Denver Public Health Department; Director, Public Health Informatics; Director, Denver Center for Public Health Preparedness; Medical epidemiologist; Director, HIV/AIDS Surveillance, City and County of Denver
3. Adam Clark, Ph.D., Austin, Texas (1 year term)
Director of Research and Policy, Lance Armstrong Foundation
Representatives of Health Care Providers, including 1 physician
4. Marc Probst, Salt Lake City, Utah (3 year term)
Chief Information Officer, Intermountain Healthcare
5. Paul Tang, M.D., Mountain View, California (2 year term)
Vice President and Chief Medical Information Officer, Palo Alto Medical Foundation
Labor Organization Representing Health Care Workers
6. Scott White, New York City, New York (1 year term)
Assistant Director, Technology Project Director, 1199 SEIU Training and Employment Fund
Expert in Health Information Privacy & Security
7. LaTanya Sweeney, Ph.D., Pittsburgh, Pennsylvania (3 year term)
Director, Data Privacy Lab, Associate Professor of Computer Science, Technology and Policy, Carnegie Mellon University
Expert in Improving the Health of Vulnerable Populations
8. Neil Calman, M.D., New York City, New York (2 year term)
President and CEO, The Institute for Family Health, Inc.
Research Community
9. Connie Delaney, R.N., Ph.D., Minneapolis, Minnesota (1 year term)
Dean, School of Nursing, University of Minnesota
Representative of Health Plans or Other Third-Party Payers
10. Charles Kennedy, M.D., Camarillo, California (3 year term)
Vice President, Health Information Technology, Wellpoint, Inc.
Representative of Information Technology Vendors
11. Judith Faulkner, Verona, Wisconsin (2 year term)
Founder, CEO, President, Chairman of the Board, Epic Systems Corporation
Representative of Purchasers or Employers
12. David Lansky, Ph.D., San Francisco, California (1 year term)
President and CEO, Pacific Business Group on Health
Expert in Health Care Quality Measurement and Reporting
13. David Bates, M.D., Boston, Massachusetts (3 year term)
Medical Director for Clinical and Quality Analysis, Chief of General Internal Medicine, Partners HealthCare/Brigham & Women’s Hospital
More information on the upcoming meetings:
More information will be made available via the "new" Health Information Technology website of the Office of the National Coordinator.
The summary of the notice on establishing the HIT Policy Committee states:
This notice announces the establishment of the HIT Policy Committee. The American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), section 13101, directs the establishment of the HIT Policy Committee.The notice outlines the criteria for members of the HIT Policy Commitee and states that the appointments shall be made in the following manner:
The HIT Policy Committee (also referred to as the "Committee'') is charged with recommending to the National Coordinator a policy framework for the development and adoption of a nationwide health information technology infrastructure that permits the electronic exchange and use of health information as is consistent with the Federal Health IT Strategic Plan and that includes recommendations on the areas in which standards, implementation specifications, and certification criteria are needed. The HIT Policy Committee is also charged with recommending to the National Coordinator an order of priority for the development, harmonization, and recognition of such standards, specifications, and certification criteria.
- 1 member shall be appointed by the majority leader of the Senate;
- 1 member shall be appointed by the minority leader of the Senate;
- 1 member shall be appointed by the Speaker of the House of Representatives;
- 1 member shall be appointed by the minority leader of the House of Representatives;
- Such other members as shall be appointed by the President as representatives of other relevant Federal agencies;
- 13 members shall be appointed by the Comptroller General of the United States of whom-
- 3 members shall be advocates for patients or consumers;
- 2 members shall represent health care providers, one of which shall be a physician;
- 1 member shall be from a labor organization representing health care workers;
- 1 member shall have expertise in health information privacy and security;
- 1 member shall have expertise in improving the health of vulnerable populations;
- 1 member shall be from the research community;
- 1 member shall represent health plans or other third-party payers;
- 1 member shall represent information technology vendors;
- 1 member shall represent purchasers or employers; and
- 1 member shall have expertise in health care quality measurement and reporting.
- Non-federal members of the Committee shall be Special Government
- Employees, unless classified as representatives.
The summary of the notice on establishing the HIT Standards Committee states:
This notice announces the establishment of the HIT Standards Committee. The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), section 13101, directs the establishment of the HIT Standards Committee. The HIT Standards Committee (also referred to as the "Committee'') is charged with making recommendations to the National Coordinator on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of adoption, consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee.The notice outlines the criteria for members of the HIT Standards Commitee and states that the appointments shall be made in the following manner:
The HIT Standards Committee shall not exceed thirty (30) voting members, including a Chair and Vice Chair, and members are appointed by the Secretary with input from the National Coordinator. Membership of the Committee shall at least reflect providers, ancillary healthcare workers, consumers, purchasers, health plans, technology vendors, researchers, relevant Federal agencies, and individuals with technical expertise on health care quality, privacy and security, and on the electronic exchange and use of health information and shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of the Committee. Non-Federal members of the Committee shall be Special Government Employees, unless classified as representatives.Thanks for the tip on the issuance of the notice to John Halamka at Life as a Healthcare CIO: Next Steps on the HIT Policy and Standards Committees.
UPDATE (5/7/09): Brian Ahier (@ahier) provides the latest update on with information on the first meetings of the HIT Policy Committee on May 11 and HIT Standards Committee meeting on May 15. Brian also provides links to the announcment by the GAO of 13 of the members of the HIT Policy Committee.
The announcment includes a list of the 13 members appointed by the Acting Comptroller General covering 10 different categories:
Advocates for Patients or Consumers
1. Christine Bechtel, Washington, D.C. (3 year term)
Vice President, National Partnership for Women & Families
2. Arthur Davidson, M.D., Denver Colorado (2 year term)
Denver Public Health Department; Director, Public Health Informatics; Director, Denver Center for Public Health Preparedness; Medical epidemiologist; Director, HIV/AIDS Surveillance, City and County of Denver
3. Adam Clark, Ph.D., Austin, Texas (1 year term)
Director of Research and Policy, Lance Armstrong Foundation
Representatives of Health Care Providers, including 1 physician
4. Marc Probst, Salt Lake City, Utah (3 year term)
Chief Information Officer, Intermountain Healthcare
5. Paul Tang, M.D., Mountain View, California (2 year term)
Vice President and Chief Medical Information Officer, Palo Alto Medical Foundation
Labor Organization Representing Health Care Workers
6. Scott White, New York City, New York (1 year term)
Assistant Director, Technology Project Director, 1199 SEIU Training and Employment Fund
Expert in Health Information Privacy & Security
7. LaTanya Sweeney, Ph.D., Pittsburgh, Pennsylvania (3 year term)
Director, Data Privacy Lab, Associate Professor of Computer Science, Technology and Policy, Carnegie Mellon University
Expert in Improving the Health of Vulnerable Populations
8. Neil Calman, M.D., New York City, New York (2 year term)
President and CEO, The Institute for Family Health, Inc.
Research Community
9. Connie Delaney, R.N., Ph.D., Minneapolis, Minnesota (1 year term)
Dean, School of Nursing, University of Minnesota
Representative of Health Plans or Other Third-Party Payers
10. Charles Kennedy, M.D., Camarillo, California (3 year term)
Vice President, Health Information Technology, Wellpoint, Inc.
Representative of Information Technology Vendors
11. Judith Faulkner, Verona, Wisconsin (2 year term)
Founder, CEO, President, Chairman of the Board, Epic Systems Corporation
Representative of Purchasers or Employers
12. David Lansky, Ph.D., San Francisco, California (1 year term)
President and CEO, Pacific Business Group on Health
Expert in Health Care Quality Measurement and Reporting
13. David Bates, M.D., Boston, Massachusetts (3 year term)
Medical Director for Clinical and Quality Analysis, Chief of General Internal Medicine, Partners HealthCare/Brigham & Women’s Hospital
More information on the upcoming meetings:
- HIT Standards Commitee - Federal Register (May 6, 2009) announcement of meeting.
- HIT Policy Committee - Federal Register (May 6, 2009) announcement of meeting.
Friday, April 24, 2009
AHLA Teleconference: HIPAA Privacy Fundamentals
Next month I will be co-presenting on an American Health Lawyer Association Teleconference on the topic of HIPAA Privacy Regulation Fundamentals - An Introductory Course.The teleconference is scheduled for May 13, 2009, 1:00 - 2:30 pm EST. My co-presenter is Rebecca L. Williams of Davis Wright Tremaine LLP and the moderator will be Phyllis Granade of Adorn & Yoss.
This teleconference is geared toward a gaining a basic understanding of HIPAA privacy law for health lawyers (think, HIPAA 101). We will also be discussing the impact of the changes unde rthe HITECH Act of 2009. Although geared toward health lawyers this teleconference would also be valuable for health care professionals and others in the industry interested in learning more about HIPAA.
You can find out more about the teleconference and how to register via the AHLA website.
Sunday, April 19, 2009
HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?
On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) "unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.
HHS's press release on the guidance states:
The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.
HHS's press release on the guidance states:
The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC's new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).
Subscribe to:
Posts (Atom)