“The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.”

You may follow developments with this Final Rule at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Web site, and HIPAA.com will bring you updates as well.

Stay tuned!

[20100730]

]]> http://www.hipaa.com/2010/07/hhs-pulls-breach-notification-file-rule/feed/ 0 http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/ http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/#comments Wed, 28 Jul 2010 16:41:10 +0000 Ed Jones http://www.hipaa.com/?p=2293 The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010.  HIPAA.com provides the title, summary, effective date, and URL for each below.

Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495;  Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588.

Summary:  This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs that adopt and successfully demonstrate meaningful use of certified electronic health record (EHR) technology. This final rule specifies–the initial criteria EPs, eligible hospitals, and CAHs must meet in order to qualify for an incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs, eligible hospitals and CAHs failing to demonstrate meaningful use of certified EHR technology; and other program participation requirements.  Also, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related final rule that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC has also issued a separate final rule on the establishment of certification programs for health information technology. [p.44314]

Effective Date:  September 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf.

Department of Health and Human Services, Office of the Secretary, “45 CFR Part 170; Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule,”  Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44589-44654.

Summary:  The Department of Health and Human Services (HHS) is issuing this final rule to complete the adoption of an initial set of standards, implementation specifications, and certification criteria, and to more closely align such standards, implementation specifications, and certification criteria with final meaningful use Stage 1 objectives and measures.  Adopted certification criteria establish the required capabilities and specify the related standards and implementation specifications that certified electronic health record (EHR) technology will need to include to, at a minimum, support the achievement of meaningful use Stage 1 eligible professionals, eligible hospitals, and/or critical access hospitals (hereafter, references to ‘eligible hospitals’ in this final rule shall mean ‘eligible hospitals and/or critical access hospitals’) under the Medicare and Medicaid EHR Incentive Programs. Complete EHRs and EHR Modules will be tested and certified according to adopted certification criteria to ensure that they have properly implemented adopted standards and implementations specifications and otherwise comply with the adopted certification criteria. [p. 44590]

Effective Date:  August 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf.

These final rules follow on the June 24, 2010, publication in the Federal Register of ONC’s final rule:  Establishment of the Temporary Certification Program for Health Information Technology, with an effective date the same as the publication date.  HIPAA.com did a post on the Federal Register’s prepublication release of this rule on June 18, 2010.  [20100728]

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009. The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22. Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper)form and 75% in various electronic forms.

Of the 25 identified hard copy (paper) breaches, the largest category was “other,” which means that OCR either needs to require more detailed information on “what happened” of covered entities reporting breaches or to provide greater specificity regarding the category: Type of Breach, if covered entities provide such information.

Of the hard copy (paper) breaches providing information in that category, six involved theft, five unauthorized access, four improper disposal, four loss, and one incorrect mailing. Included in those totals are three compound types reported by covered entities: one theft/loss, one theft/unauthorized access, and one improper disposal/loss.

The OCR Web site that lists breaches is at: hhs.gov.

On Friday, July 2, 2010, OMB received from the Office of the Secretary at the Department of Health and Human Services (HHS) for review Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule.  The Interim Final Rule was issued on January 13, 2010, was effective February 12, 2010, and the public comment period ended on March 15, 2010.  From the Abstract:  ”The certification criteria adopted in this initial set establish the technical capabilities  and related standards that certified electronic health record (EHR) technology will need to include in support of the Medicare and Medicaid EHR Incentive Programs.”

On Monday, July 5, 2010, OMB received from HHS’ Center for Medicare & Medicaid Services (CMS) for review Electronic Health Record (EHR) Incentive Program; Final Rule. The Notice of Proposed Rulemaking (NPRM) was issued on January 13, 2010 (75 Federal Register 1843), and the public comment period ended on March 15, 2010.  From the Abstract:  ”The Medicare and Medicaid Health IT provisions in the American Recovery and Reinvestment Act of 2009 promote the adoption and meaningful use of certified electronic health records (EHRs).  The Recovery Act authorized incentive payments for eligible professionals (EPs) and hospitals participating in Medicare and Medicaid for becoming meaningful users of certified EHRs.  The law established maximum annual incentive amounts and includes Medicare penalties for failing to meaningfully use EHRs beginning in 2015, for professionals and hospitals that fail to adopt certified EHRs.”  This rule outlines statutory deadlines for the programs:

January 1, 2011:  Date can start incentive payments to EPs (Medicare)

October 1, 2010:  Date can start incentive payments to hospitals (Medicare)

The rule “[e]stablishes policies and procedures required before the incentive program can begin.  Additionally, supplemental payments are available in 2011 and 2012.  If eligible professionals and hospitals are not meaningful Electronic Health Record users by 2015, there will be a Medicare payment adjustment imposed.”

These two rules go together.  Because of upcoming deadlines, and the information contained therein relates to the Final Rule published in the Federal Register on June 24, 2010:  Establishment of the Temporary Certification Program for Health Information Technology; Final Rule (75 Federal Register 36157), it is likely that OMB will expedite review of the two referenced final rules and publication in the Federal Register will occur shortly thereafter.  (20100706)

Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:

13400:  Definitions

13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions

13402:  Notification in the Case of Breach

13403:  Education on Health Information Privacy

13404:  Application of Privacy Provisions and Penalties to Business Associates of Covered Entities

13405:  Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format

13406:  Conditions on Certain Contacts as Part of Health Care Operations

13407:  Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

13408:  Business Associate Contracts Required for Certain Entities

13409:  Clarification of Application of Wrongful Disclosures Criminal Penalties

13410:  Improved Enforcement

These sections appear in Subtitle D (Privacy) on pp. 258-276 of Public Law 111-5, which is available for download on hipaa.com.  The NPRM represents enabling rules for referenced statutory provisions from within some or all of those sections.

The Abstract of the NPRM is:

“The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

In addition to the NPRM discussed above, OMB still has under review the Final Rule entitled:  HIPAA Administrative Simplification; Notification in the Case of Breach (RIN:  0991-AB56), which would replace the Interim Final Rule that was published in the Federal Register on August 24, 2009 (74 Federal Register 42739-42770).

The Abstract of the Final Rule is:

“The Department will issue final rules for HIPAA covered entities and business associates with respect to breach notification of unsecured protected health information as required by section 13402 of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

(20100705)

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009.  The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22.  Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper) form and 75% in various electronic forms.  Of the electronic breaches, which included several in multiple electronic forms, 34 involved laptops, 15 desktops, 11 portable devices, 9 servers, and the remaining 11 miscellaneous forms (2 hard disks, 2 computers (not otherwise identified), 2 backup tapes, 2 electronic medical records (EMRs), 2 other (not identified), and 1 CD).

Of the 75 electronic breaches, 58, or 77%, involved theft, and 11, or 15%, involved unauthorized access, with 7 of those 11 also reported in association with theft.  There were six reported losses, or 8%, with 2 of those 6 also reported in association with theft.  There were four reported hacking incidents, or 5%, with 1 of those 4 also reported in association with unauthorized access.  Finally, there were 6, or 8%, defined as other, with 1 of those 6 also reported in association with theft.

Of the 34 breaches involving a laptop, 32, or 94% involved a theft, and the remaining 2 breaches, or 6%, involved a loss. Of the 11 breaches involving a portable device, 10, or 91%, involved a theft, with one, or 9%, a loss.  Whether a theft or loss, the evidence from the growing number of publicly reported breaches is that portable computers and devices must be encrypted to secure protected health information, in accordance with the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Federal Register 42742-42743) in order to avoid the growing costs to breaching entities of complying with provisions of the breach notification rule, reputational harms to those entities, and financial and inconvenience harms to affected individuals. [20100702]

The summary of the final rule is reproduced here:

“This final rule establishes a temporary certification program for the purposes of testing and certifying health information technology.  This final rule is established under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA), as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.”

The Medicare incentive program mentioned in the summary is expected to start in January 2011 and the Medicaid incentive program may start as early as the beginning of the fourth quarter of 2010, when the new federal fiscal year (FY  2011) starts.  (20100618)

“Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology. The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the National Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.” (75 Federal Register 11328) [emphasis added]

As the incentive programs for Medicare begin in 2011 and for Medicaid perhaps as early as the beginning of FY 2011 in October 2010, it is likely that the final rule relates to the temporary certification program as described in the bolded portion of the summary above.  (20100616)

On October 30, 2009, HHS published in the Federal Register the Interim Final Rule (IFR): HIPAA Administrative Simplification: Enforcement.[1] This IFR strengthened HIPAA enforcement of February 17, 2009-enacted HITECH Act penalty revisions, which were effective for violations beginning on February 18, 2009. The enforcement IFR was effective on November 30, 2009. This IFR followed by several months HHS Secretary Kathleen Sebelius’ delegation of enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR)[2], which had HIPAA Privacy Rule enforcement responsibilities since the April 14, 2003, compliance date for the Privacy Rule.

OCR’s unified enforcement of the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule and higher penalties increase the likelihood and severity of consequences of noncompliance with those rules, especially with the advent of compliance audits in addition of complaint investigations.

Before the February 17, 2009-enacted HITECH Act penalty revisions, civil penalties for HIPAA violations were $1000 for each violation or $25,000 for all violations of the same provision in a calendar year period. Under the HITECH Act, penalties are substantially increased and have been divided into four tiers, with a maximum of $1.5 million for all violations of an identical provision in a calendar year. The tiered Penalties now range as follows, for each violation:

• $100-$50,000 if the covered entity did not know an, by exercising reasonable diligence, would not have known, that it violated such provision.
• $1,000-$50,000 if the violation was due to reasonable cause and not to willful neglect.
• $10,000-$50,000 if the violation was due to willful neglect and was corrected “during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.”[3]
• $50,000 or more if the violation was due to willful neglect and was not corrected as required.

In announcing strengthened enforcement, OCR Director Georgina Verdugo said:

“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information…. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules… Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”[4]

Currently, there is at OMB for review as a Notice of Proposed Rulemaking (NPRM): Modifications to the HIPAA, Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act.[5] According to the Abstract: “The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D [Privacy] of the [HITECH Act].” After clearance at OMB, the NPRM will be published in the Federal Register. Be alert to NPRM modifications to privacy, security, and enforcement requirements, and the likelihood of relative quick—by HIPAA time standards—compliance dates for each through follow-on interim final rules.

Please visit the OCR Enforcement Web site for additional information now and updated information in the future.

[1] Department of Health and Human Services, Office of the Secretary, “45 CFR Part 160, HIPAA Administrative Simplification: Enforcement; Interim Final Rule,” Federal Register, v.74, n.209, October 30, 2009, pages 56123-56131. Citations to this document are in the format: 74 FR page(s). This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.

[2] OCR also is responsible for enforcement of the HITECH Act Breach Notification Rule. The delegation of enforcement of the HIPAA Security Rule was from the Centers for Medicare & Medicaid Services (CMS), which retains enforcement authority for the HIPAA Transaction and Code Set and Identifiers Rules. See Department of Health and Human Services, Office of the Secretary, “Office for Civil Rights; Delegation of Authority,” Federal Register, v.74, n.148, August 4, 2009, page 38630. This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/srdelegation.pdf.

[3] 74 Federal Register 56131.

[4] Department of Health and Human Services, “HHS Strengthens HIPAA Enforcement, “ news release, October 30, 2009, which is available online at: http://www.hhs.gov/news/press/2009pres/10/20091030a.html.

[5] This document, Regulation Identifier Number (RIN) 0991- AB57, was received at OMB on April 12, 2010, and attributes of this NPRM, but not its content, are available online at: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201004&RIN=0991-AB57.

“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the ‘Red Flags’ Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.  Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance….

“The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

The issue regarding the delays in FTC enforcement relates to “scope of entities covered by the Rule,” as indicated in the FTC news release.  Congress is taking action[2]:

“House lawmakers in October [2009] passed H.R. 3763[3], which would exclude from the Red Flags guidelines meaning of ‘creditor’ any healthcare, accounting, or legal practice with 20 or fewer employees, as well as any other business which the FTC determines knows all its customers or clients individually; only performs services in or around the residences of its customers; or hasn’t experienced incidents of ID theft, and identity theft is rare for businesses of that type.  An identical bill, S.3416 was introduced in the Senate on May 25 [2010].”

A lawsuit was filed in federal court on May 21, 2010, to accomplish a similar objective of narrowing scope of entities covered by the Rule.  “[T]he American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit in federal court  challenging the decision to classify physicians as ‘creditors’ because they allow patients to defer payments.  The medical groups also said the implementation of the Red Flags Rule could threaten doctor-patient relationships and negatively affect patient care (Sorrel, American Medical News, 5/31).”[4]

Please visit the FTC Red Flags Rule Web site: http://www.ftc.gov/redflagsrule or the American Medical Association (AMA) Web site: http://www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml for additional information. (20100603)

[2] Melissa Klein Aguilar, “Another Delay for FTC Red Flags Enforcement,” in Compliance Week, June 1, 2010, which is available online at: http://www.complianceweek.com/blog/aguilar/2010/06/01/once-again-ftc-delays-red-flags-enforcement/.

[3] The House passed H.R. 3763 by a vote of 400-0.

[4] California HealthCare Foundation, “FTC Delays Enforcement of ‘Red Flags Rule’ Until End of 2010,” iHealthBeat, June 1, 2010, which is available online at: http://www.ihealthbeat.org/articles/2010/6/1/ftc-delays-enforcement-of-red-flags-rule-until-end-of-2010.aspx.

This report comes several days after OCR’s release last Friday of its Draft Security Rule Guidance on Risk Analysis, the first in a series of guidances on security, that hipaa.com posted earlier today, and precedes the likely release later this month of the Notice of Proposed Rulemaking (NPRM):  Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, which is currently at the Office of Management and Budget (OMB) for review prior to publication in the Federal Register.

In addition, the renewed emphasis on HIPAA Security Rule compliance may be due in part to the growing number of posted “Breaches Affecting 500 or More Individuals” on the OCR Web site.

As of May 6, 2010, OCR had listed on this site 77 covered entities that had experienced such breaches, with the total number of affected individuals 2,430,167.  Of the total listed breaches, 63 involved covered entities only and 14, 0r 18%, involved a business associate in some manner.  Of the 72 reported breaches identifying whether paper or electronic protected health information (PHI) was involved, 18, or 25% involved paper and 54, or 75%, involved electronic media.  Forty-five of those 54 breaches, or just over 83%, were instances of theft or loss, most often laptop or other portable devices, highlighting the need for encrypting PHI to secure it on those electronic media according to NIST-validated standards identified in the August 24, 2009, HHS Guidance.  That Guidance was discussed in earlier hipaa.com postings and is available on this site .

With increased enforcement comes the need for greater attention paid to HIPAA Privacy and Security Rule compliance and training.  hipaa.com will announce new online HIPAA privacy and security training initiatives later this month.  You may register on hipaa.com to be notified of the training announcement.

This eight-page document is available online.

The Draft Guidance on Risk makes the following key points:

“The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization.  Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve….

“The risk analysis process should be ongoing.  In order for an entity to update and document its security measures ‘as needed,’ which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed….

“Risk analysis is the first step in an organization’s Security Rule compliance efforts.  Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.”

OCR requests public comment on the Draft Guidance on Risk Analysis, which can be sent to OCRPrivacy@hhs.gov.

On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010.  That is up from the 36 that OCR listed on its initial posting of the list on February 23, 2010.  The current list is available on the OCR Web site.

Clearly, more “awareness and understanding” training on security safeguards and privacy controls regarding use and disclosure of protected health information (PHI) is necessary.  Such training is required under the HIPAA Privacy and Security Rules and includes training regarding the new HITECH Act Breach Notification Rule requirements.

HIPAA.com will have announcements about such training in May, offerred through HIPAA School.  You may register on the hipaa.com site for email notification of further details about HIPAA School training, and for postings provided on hipaa.com.  (20100429)

“SUMMARY.  Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH ) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification  programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology.  The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the national Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.”

The Office of the National Coordinator for Health Information Technology requests written or electronic comments on the temporary certification program for receipt no later than 5 PM on April 9, 2010, and written or electronic comments on the permanent certification program no later than 5 PM on May 10, 2010.  Detailed instructions for submitting comments can be found on page 11328 of the NPRM referenced above.

Here are the appropriate authorities:

Section 13401 of Part 1 (Improved Privacy Provisions and Security Provisions) of Subtitle D (Privacy) of the HITECH Act (pp. 260): Application of Security Provisions and Penalties to Business Associates of Covered Entities

(a) Application of Security Provisions.  Sections 164.308 [Administrative Safeguards], 164.310 [Physical Safeguards], 164.312 [Technical Safeguards], and 164.316 [Policies and Procedures and Documentation Requirements] of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that related to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. [42 USC 17931]

(b) Application of Civil and Criminal Penalties.  In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provisions. [42 USC 17931]

NOTE:  Effective the day after of enactment of the HITECH Act (February 18, 2009), financial penalties were substantially increased for noncompliance with HIPAA standards, which cover policies, procedures, actions, assessments, and documentation requirements discovered during a compliance audit or complaint investigation.

Section 13423 of Part 2 (Relationship to Other Laws; Regulatory References; Effective Date; Reports) of Subtitle D (Privacy) of the HITECH Act (pp. 276):  Effective Date

Except as otherwise specifically provided, the provisions of part 1 shall take effect on the date that is 12 months after the date of the enactment of this title. [42 USC 17953]

Today marks the beginning of direct federal regulation of business associates’ compliance with the HIPAA Security Rule. [02/17/10]

Two weeks from today, on Wednesday, February 17, 2010, Business Associates of Covered Entities must comply with the HIPAA Security Rule.  For the first time Business Associates will be regulated by the federal government.  Section 13401 of Subtitle D (Privacy) of the HITECH Act (42 USC 17931) states that “[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” [Public Law 111-5, p.260]  In addition, penalties that apply to Covered Entities also will apply to Business Associates for noncompliance with the provisions of the Security Rule.

The next day, Thursday, February 18, 2010, a new restriction on disclosure of protected health information goes into effect that impacts Covered Entity health care providers.  According to Section 13405 of Subtitle D of the HITECH Act (42 USC 17935), a health care provider must honor a patient request to restrict disclosure of protected health information to a health plan for purposes other than carrying out treatment (namely, payment or health care operations) if the patient pays the health care provider out of pocket in full.

Finally, on Monday, February 22, 2010, enforcement of the Breach Notification Rule goes into effect for “failure to provide the required notifications for breaches” of unsecured protected health information discovered on or after the February 22 date.  [74 Federal Register 42757, August 24, 2009].  The Breach Notification Rule applies to Covered Entities and Business Associates, provides obligations for each regarding compilation and reporting of information pertaining to a breach by either party, and requires “incorporation [of those obligations] into the Business Associate Agreement between the Business Associate and the Covered Entity.” [42 USC 17934]

[02/03/2010]

42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions).

(a)  APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to a covered entity.  The additional requirements of this title that relate to security and that are applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.–In the case of a business associate that violates any security provision specified in subsection (a) [above], sections 1176 [General Penalty for Failure to Comply with Requirements and Standards] and 1177 [Wrongful Disclosure of Individually Identifiable Health Information] of the Social Security Act shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision….

42 USC 17953 (Section 13423:  EFFECTIVE DATE.  Except as otherwise specifically provided, the provisions of part 1 shall take effect on the data that is 12 months after the date of the enactment of this title [which was February 17, 2009].

If you are a covered entity, make sure that your business associates are aware to the upcoming Security Rule safeguards, policies and procedures, and documentation compliance provisions by February 17, 2010, and that your business associate agreement reflects this obligation. [01/18/2010]

“This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology.  The proposed rule would specify the initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements.  Also, as required by ARRA, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule [75 FR 2013-2047] that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.” [01/13/10]  This NPRM is available online here.

“The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act.  This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use.  The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.”  This IFR is a consequence of HITECH Act provisions that were enacted on February 17, 2009, as part of the American Recovery and Reinvestment ACT.  [01/13/10]  The IFR is available online here.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Treatment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”

Use

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.”

Vendor of Personal Health Records

An entity, other than a covered entity (as defined), that offers or maintains a personal health record.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Secretary

Secretary of [U.S. Department of] Health and Human Services.

Security

Has the meaning given such term in section 164.304 of title 45, Code of Federal Regulations [CFR].

“Security or Security measures encompass all of the administrative, physical, and technical safeguards in an information system.”

State

Each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Payment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“(1) The activities undertaken by:

(i)             A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan;

or

(ii)            A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i)             Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii)            Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii)           Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv)            Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v)             Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi)            Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A)             Name and Address;

(B)             Date of birth’

(C)             Social Security number;

(D)             Payment history;

(E)             Account number; and

(F)             Name and address of the health care provider and/or health plan.”

Personal Health Record

An electronic record of PHR identifiable health information (as defined in section 13407(f)(2)[1] on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

Protected Health Information

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)             Transmitted by electronic media;

(ii)            Maintained in electronic media; or

(iii)           Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)             Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)            Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)           Employment records held by a covered entity in its role as employer.”

[1] PHR Identifiable Health Information “means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information—(A) that is provided or on behalf of the individual; and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”  [HITECH Act, p.156]

A Message from Dr. David Blumenthal, National Coordinator for Health Information Technology

Today the Obama administration announced the availability of $60 million in Recovery Act funds to support the development of the Strategic Health IT Advanced Research Projects (SHARP) program. SHARP awards will fund research focused on identifying technology solutions to address well-documented problems impeding broad adoption of health information technology (health IT). By helping to overcome key challenges, the research will also accelerate progress towards achieving nationwide meaningful use of health IT. 

As we continue this unprecedented effort towards meaningful use and seamless, secure information exchange, we also must acknowledge that there remains a gap between the promise of health IT and the realization of its full benefits. To achieve the goal of a transformed health care delivery system, it’s critical that we close this gap by enabling a robust research infrastructure that can focus on areas where “breakthrough” advances are needed to help clear obstacles to adoption. Under the SHARP program, four awardees will receive funding to develop multidisciplinary research projects that will identify such breakthrough solutions. 

SHARP program awardees will create research programs that draw from many areas of expertise.  They will focus on issues of central interest to all health IT stakeholders, fostering considerable discussion and debate.  If for example, SHARP research helped identify new methods to create tools that will, through their incorporation into deployed technology, enhance data security, then public trust in the electronic maintenance and exchange of health information would be reinforced and strengthened – which would in turn help encourage broader adoption. 

Areas requiring this innovative research approach that will be tackled by the SHARP awardees include the security of health IT, patient-centered cognitive support, application and network platform architectures, and the secondary use of EHR data as a way of measuring and improving quality of care. 

Another important aspect of the SHARP program is that the research projects will bring together key stakeholders – researchers, patient groups, health care providers, and others – to work with one another to transform health IT research into applications. This collaborative approach allows us to consider the many voices of health IT stakeholders, and work together towards common goals. With our eyes on the vision of patient-centered, quality health care we can focus research on innovative, pragmatic, and realistic solutions, which can then be implemented across the nation. 

I truly look forward to seeing the innovative research that emerges from this program. I know that this research will provide critical insights that will bring us closer every day to a better, more efficient health care delivery system, enabled by health IT and empowered by the seamless and secure exchange of electronic health information.

Sincerely,

David Blumenthal, M.D., M.P.P. National Coordinator for Health Information Technology 
U.S. Department of Health & Human Services

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Health Care Provider

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“A provider of services (as defined in section 1861(u) of the [Social Security] Act, 42 U.S.C. 1395x(u)), a provider of medial or health services (as defined in section 1861(s) of the [Social Security] Act, 42 U.S.C. 1395x(s), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”

Health Plan

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS [Public Health Service] Act, 42 U.S.C. 300gg-91(a)(2).

(1) Health plan includes the following, singly or in combination:

(i)            A group health plan, as defined in this section.

(ii)          A health insurance issuer, as defined in this section.

(iii)         An HMO, as defined in this section.

(iv)         Part A or Part B of the Medicare program under title XVIII of the Act.

(v)          The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et.seq.

(vi)         An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).

(vii)       An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.

(viii)      An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(ix)         The health care program for active military personnel under title 10 of the United States Code.

(x)          The veterans health care program under 38 U.S.C. chapter 17.

(xi)         The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).

(xii)       The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et.seq.

(xiii)      The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et.seq.

(xiv)      An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et.seq.

(xv)       The Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.

(xvi)      A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.

(xvii)    Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(2) Health Plan excludes:

(i)            Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and

(ii)          A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):

A.  Whose principal purpose is other than providing, or paying the cost of, health care; or

B.  Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.”

National Coordinator

The head of the Office of the national Coordinator for Health Information Technology established under section 3001(a) of the Public Health Service Act, as added by section 13101.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Disclose

The terms ‘disclose’ and ‘disclosure’ have the meaning given the term ‘disclosure’ in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.”

Electronic Health Record

An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

Health Care Operations

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g)[1] are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of § 164.514,[2] creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.”

[1] “(g) Standard:  Uses and disclosures for underwriting and related purposes.  If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may not use of disclose such protected health information for any other purpose, except, as may be required by law.”

[2] “Other requirements relating to uses and disclosures of protected health information.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-12/feed/ 0 http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/ http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/#comments Tue, 08 Dec 2009 15:10:56 +0000 Ed Jones http://www.hipaa.com/?p=2017 From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Breach

(A) In General—The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions—The term ‘breach’ does not include—

1. Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if—
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
   2. Such information is not further acquired, accessed, used, or disclosed by an person; or
2. Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
3. Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

[Note:  The definition of 'breach' in the enabling regulation is different in several respects from the statutory definition above, including introduction of consideration of risk of harm to the individual:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [Privacy of Individually Identifiable Health Information] of this part [45 CFR 164:  Security and Privacy] which compromises the security or privacy of the protected health information.

(1)(i) For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

(ii) A use or disclosure of protected health information that does not include the identifiers listed at § 164.514(e)(2) [Implementation Specification for the Limited Data Set standard], date of birth, and zip code does not compromise the security or privacy of the protected health information.

(2) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

See Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160 and 164–Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” Federal Register, v. 74, n. 162, August 24, 2009, pp.42767-42768.]

Business Associate

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

1. On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
   1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
   2. Any other function or activity regulated by this subchapter; or
   3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.”

Covered Entity

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/feed/ 0 http://www.hipaa.com/2009/11/exploring-hipaa-and-hitech-act-definitions-part-10/ http://www.hipaa.com/2009/11/exploring-hipaa-and-hitech-act-definitions-part-10/#comments Wed, 25 Nov 2009 16:30:34 +0000 Ed Jones http://www.hipaa.com/?p=1986 From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. In this posting we highlight the last two definitions from the following HITECH Act section:

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Qualified Electronic Health Record

An electronic record of health-related information on an individual that—

(A) Includes patient demographic and clinical health information, such as medical history and problem lists; and

(B) Has the capacity—

1. To provide clinical decision support;
2. To support physician order entry;
3. To capture and query information relevant to health care quality; and
4. To exchange electronic health information with, and integrate such information from other sources.

State

Each of the several states, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Laboratory

Has the meaning given such term in section 353(a).

National Coordinator

The head of the Office of the National Coordinator for Health Information Technology established under section 3001(a).

Pharmacist

Has the meaning given such term in section 804(2) of the Federal Food, Drug, and Cosmetic Act.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

HIT Policy Committee

Such Committee established under section 3002(a).[1]

HIT Standards Committee

Such Committee established under section 3003(a).[2]

Individually Identifiable Health Information

Has the meaning given such term in section 1171(6) of the Social Security Act:

“Any information, including demographic information collected from an individual, that—

(A) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

1. Identifies the individual; or
2. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

[1] HIT Policy Committee (Establishment).
[2] HIT Standards Committee (Establishment).

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Health Information

Has the meaning given such term in section 1171(4) of the Social Security Act:

“Any information, whether oral or recorded in any form or medium, that—

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

Health Information Technology

Hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.

Health Plan

Has the meaning given such term in section 1171(5) of the Social Security Act:

“An individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 2791 of the Public Health Service Act.)  Such term includes the following, and any combination thereof:

(A) A group health plan (as defined in section 2791(a) of the Public Health Service Act), but only if the plan—

1. Has 50 or more participants (as defined in section 3(7) of the Employee Retirement Income Security Act of 1974); or
2. Is administered by an entity other than the employer who established and maintains the plan.

(B) A health insurance issuer (as defined in section 2791(b) of the Public Health Service Act).

(C) A health maintenance organization (as defined in section 2791(b) of the Public Health Service Act).

(D) Part A, B, or C of the Medicare program under title XVIII.

(E) The Medicaid program under title XIX.

(F) A Medicare supplemental policy (as defined in section 1882(g)(1)).

(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary [of HHS] determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

(I)  The health care program for active military personnel under title 10, United States Code.

(J)  The veterans health care program under chapter 17 of title 38, United States Code.

(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.

(L)  The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5, United State Code.”

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Certified EHR Technology

A qualified electronic health record [EHR] that is certified pursuant to section 3001(c)(5)[1] as meeting standards adopted under section 3004[2] that are applicable to the type of record involved (as determined by the Secretary [of HHS], such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals).

Enterprise Integration

The electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law, and such term includes related application protocols and other related standards.

Health Care Provider

Includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center (as defined in section 1913(b)(1), renal dialysis facility, blood center, ambulatory surgical center described in section 1833(i) of the Social Security Act, emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician (as defined in section 1861(r) of the Social Security Act), a practitioner (as described in section 1842(b)(18)(C) of the Social Security Act), a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe (as defined in the Indian Self-Determination and Education Assistance Act), tribal organization, or urban Indian organization (as defined in section 4 of the Indian Health Care Improvement Act), a rural health clinic, a covered entity under section 340B, and ambulatory surgical center described in section 1833(i) of the Social Security Act, a therapist (as defined in section 1848(k)(3)(B)(iii) of the Social Security Act, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary [of HHS].

[1] ONCHIT (Duties of the National Coordinator (Certification)).
[2] Process for Adoption of Endorsed Recommendations; Adoption of Initial Set of Standards, Implementation Specifications, and Certification Criteria.

H.R. 3962 as introduced in the House on October 29, 2009, following Committee action, available here.  A chronology of all Congressional actions on this bill is available here.  Finally, various sources of information pertaining to HR 3962, including Committee reports, are available here.

Action now moves to the Senate on Health Care Reform, which may be later this year or early in 2010.  H.R. 3962, as amended, passed in the House, and referred to the Senate, will be available on the last listed site above, and will be posted on HIPAA.com for download, when it is available.

Maximum Defined Data Set

All of the required data elements for a particular standard based on a specific implementation specification.

Segment

A group of related data elements in a transaction.

Standard Transaction

A transaction that complies with an applicable standard adopted under this part [162].

With the definition of ‘breach’ in the HITECH Act moving privacy and security violations under one requirement requiring remediation, and notification if protected health information is ‘unsecured’, HHS, on July 27, 2009, moved HIPAA Security Rule enforcement from the Centers for Medicare & Medicaid Services (CMS) to HHS’ Office of Civil Rights (OCR), which has been responsible for enforcement of the HIPAA Privacy Rule since compliance was required in April 2003, and now also enforces HITECH Act ‘breach notification’ requirements.  Unified enforcement and higher penalties put a higher price on covered entities–and business associates after February 17, 2010–not being compliant with privacy and security rules pertaining to safeguarding of protected health information.

Prior to the HITECH Act revisions, civil penalties for HIPAA violations were “$100 for each violation or $25,000 for all identical violations of the same provision” in a year’s period.  Now, penalties are tiered in four levels, with a maximum penalty of $1.5 million for all violations of an identical provision in each tier.  By tier, the penalties range for each violation from $100-$50,000 for “Did Not Know”; $1,000-$50,000 for “Reasonable Cause”; $10,000-$50,000 for “Willful Neglect–Corrected”; and $50,000 for “Willful Neglect–Not Corrected”.

According to the OCR Director, Georgina Verdugo, “‘The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information….  This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules.’”

More information is available in the HHS October 30, 2009 press release, available at http://www.hhs.gov/news/press/2009pres/10/20091030a.html, and in the October 30, 2009, Interim Final Rule, available here.

Format

Those data elements that provide or control the enveloping or hierarchical structure, or assist in identifying data content of, a transaction.

HCPSS

Health [Care Financing Administration] Common Procedure Coding System.[1]

Maintain or Maintenance

Activities necessary to support the use of a standard adopted by the Secretary [of HHS], including technical corrections to an implementation specification, and enhancements or expansion of a code set. This term excludes the activities related to the adoption of a new standard or implementation specification, or modification to an adopted standard or implementation specification.

[1] Health Care Financing Administration, or HCFA, was the predecessor name for Centers for Medicare & Medicaid Services, or CMS.

Descriptor

The text defining a code.

Designated Standard Maintenance Organization (DSMO)

An organization designated by the Secretary [of HHS] under 45 CFR 162.910(a).

Direct Data Entry

The direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.

Data Content

All the data elements and code sets inherent to a transaction, and not related to the format of the transaction. Data elements that are related to the format are not data content.

Data Element

The smallest named unit of information in a transaction.

Data Set

A semantically meaningful unit of information exchanged between two parties to a transaction.

We begin the first series of postings with definitions from “Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA); Final Rules,” Federal Register,  January 16, 2009.  45 CFR 162, Administrative Requirements:  162.103, Definitions.

Code Set

Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.  A code set includes the codes and the descriptors of the codes.

Code Set Maintaining Organization

An organization that creates and maintains the code sets adopted by the Secretary [of HHS] for use in the transactions for which standards are adopted in this part [162].

Data Condition

The rule that describes the circumstances under which a covered entity must use a particular data element or segment.

Further, training requires that workforce members, including management, demonstrate awareness and understanding on an ongoing basis, and that covered entities and business associates document that their workforce members have been trained.  As examples, the first implementation specifications of the Security Rule ‘Security Awareness and Training’ standard is “Security reminders (addressable). Periodic security updates.”  [45 CFR (a)(5)(ii)(A)]  [emphasis added]  One part of the  implementation specification for the Privacy Rule ‘Training’ standard states that a “covered entity must provide training … [t]o each member of covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective…” [45 CFR 164.530(b)(2)(c)] [emphasis added].

Another requires that a new workforce member receive training “within a reasonable period of time after the person joins the covered entity’s workforce.” These examples regarding training are dynamic, as indicated in the italicized words and phrases, and the need to conduct training of new workforce members. Although the comment in the preamble of the January 16, 2009, Final Rule pertaining to HIPAA Electronic Transaction Standards refers to ‘administrative transactions’, it may be instructive in the context of training as well:  ”HHS does not recognize certification of any systems or software for purposes of HIPAA compliance.” [74 Federal Register 3310] The burden on a covered entity or business associate is to conduct and periodically review its risk assessment, implement policies and procedures to safeguard protected health information, conduct ‘awareness’ training for all workforce members based on those policies and procedures, update that training if policies and procedures change or HIPAA privacy and security regulations are initiated or modified, and document in writing those activities. Certification is not a requirement in that process.

Three Key Properties

The three key properties that underpin privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) are availability, confidentiality, and integrity.

Availability is the property that data or information is accessible and useable upon demand by an authorized person.

Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes.

Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner.

These definitions appear in 45 CFR § 164.304, where CFR is Code of Federal Regulations.  Part 164 covers Security and Privacy.  These definitions fall into Subpart C, which covers Security Standards for the Protection of Electronic Protected Health Information.  These properties also underpin the “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals’ that appears in the Interim Final Rule:  Breach Notification for Unsecured Protected Health Information, issued by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and published in the Federal Register on August 24, 2009.

Protected Health Information

To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996:  Administrative Simplification.  These statutory definitions are of health information and individually identifiable health information.

“Health information means any information, whether oral or recorded in any form or medium, that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i)   That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (’Privacy’) of the HITECH Act.

“Protected health information means individually identifiable health information [defined above]:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)    Transmitted by electronic media;

(ii)   Maintained in electronic media; or

(iii)  Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)    Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)   Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)  Employment records held by a covered entity in its role as employer.”

The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.

With those definitions in place, the question becomes:  what elements comprise protected health information such that if they were removed, items (i) and (ii) of (2) in the definition of individually identifiable health information would not obtain.  The answer is in the de-identification standard and its two implementation specifications of the HIPAA Privacy Rule [45 CFR 164.514]:

“(a) Standard:  de-identification of protected health information.  Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

(b) Implementation specifications:  requirements for de-identification of protected health information.  A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i)   Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination; or

(2)

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

(c) Implementation specifications:  re-identification.  A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation.  The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security.  The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”

With HHS’s release of the Interim Final Rule, ‘Breach Notification for Unsecured Protected Health Information,’ published in the Federal Register on Monday, August 24, 2009, note the following:  ”If information is de-identified in accordance with 45 CFR 164.514(b) [the first implementation specification, defined above], it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.” [74 Federal Register 42743]

Question:  When will CMS begin to pay incentives to eligible professionals and hospitals for using certified Electronic Health Records (EHRs)?

Answer:  By statute [American Recovery and Reinvestment Act of 2009], the earliest dates that CMS will be able to pay an incentive under Medicare is October 1, 2010, for hospitals, and January 1, 2011, for eligible professionals.

The statute does not define a date for the Medicaid incentives program.  Given the range of regulatory and planning activities that must precede States being able to make provider incentive payments, as well as the importance of coordinating Medicaid and Medicare payments to prevent duplication, CMS does not expect that States will be able to make such payments until 2011.

Work is underway to define the meaningful EHR user criteria, as well as the requirements for applying for and receiving the EHR payment incentives.  CMS expects to issue a proposed rule in late 2009 [relating to these matters].

For information on the Medicare and Medicaid incentive programs, see Title IV, pp. 353-382 of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009, which is available for download on HIPAA.com.

Question:  Are physicians who practice in hospital-based ambulatory clinics eligible to receive the Recovery Act’s Medicare or Medicaid electronic health record (EHR) incentive payments.

Answer:  Hospital-based eligible professionals are ineligible for the EHR incentive payments under both Medicare and Medicaid.  Our [Department of Health and Human Services] forthcoming NPRM [Notice of Proposed Rule Making] will propose a definition for determining whether a physician or other eligible professional is hospital based.

For information on the Medicare and Medicaid incentive programs, see Title IV, pp. 353-382 of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009, which is available for download on HIPAA.com.

“The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to require notification of breaches of unsecured protected health information.  Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, requires HHS to issue interim final regulations with 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information.  For purposes of determining what information is ‘unsecured protected health information,’ in this document HHS is also issuing an update to its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.”

Here is the updated guidance that appears in the Interim Final Rule:

“B.  Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:

(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ [45 CFR 164.304, definition of 'encryption'] and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.  The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices [Available at http://www.csrc.nist.gov; NIST Roadmap plans include the development of security guidelines for enterprise-level storage devices, and such guidelines will be considered in updates to this guidance, when available.]

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated [available at http://www.csrc.nist.gov.]

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.  Redaction is specifically excluded as a means of data destruction.

(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization [available at http://www.csrc.nist.gov], such that the PHI cannot be retrieved.”

Comments on the provisions of the Interim Final Rule are due on or before 60 days after the publication date [of August 24, 2009], and instructions for filing comments are included in the Interim Final Rule.  Comments regarding guidance “received in response to the interim final rule will be addressed in the first annual update to the guidance, to be issued in April 2010.”

HIPAA.com will have available on its site the official published version of the Guidance on August 24, 2009, and recommends that you consult the online version cited above for an early look, but rely on the published Federal Register version, when published.

]]> http://www.hipaa.com/2009/08/hhs-issues-interim-final-rule-for-hitech-breach-notification/feed/ 0 http://www.hipaa.com/2009/08/hhs-secretary-delegates-to-onc-head-new-hitech-act-authority/ http://www.hipaa.com/2009/08/hhs-secretary-delegates-to-onc-head-new-hitech-act-authority/#comments Thu, 20 Aug 2009 13:30:37 +0000 Ed Jones http://www.hipaa.com/?p=1678 Effective August 7, 2009, and published in the Federal Register on Tuesday, August 18, 2009, Secretary Kathleen Sebelius of the U.S. Department of Health and Human Services (HHS) has delegated authority to the National Coordinator for Health Information Technology, David Blumenthal, M.D., to administer “Subtitle B, ‘Incentives for the Use of health Information Technology,’ sections 3011 through 3017, with the exception of 3012(c)(5), the Financial Support subsection.”  These sections and titles, which appear on pages 132-144 of the American Recovery and Reinvestment Act of 2009 (ARRA), signed by President Obama on February 17, 2009, available on the hipaa.com site, include:

• 3011 Immediate Funding to Strengthen the Health Information Technology Infrastructure, including “invest[ment] in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual in the United States consistent with the goals outlined in the strategic plan developed by the National Coordinator…”.
• 3012 Health Information Technology Implementation Assistance, with the exclusion of assistance to any health information technology regional extension center as noted in the quote above.
• 3013    State Grants to Promote Health Information Technology.
• 3014    Competitive Grants to States and Indian Tribes for the Development of Loan Programs to Facilitate the Widespread Adoption of Certified EHR Technology.
• 3015    Demonstration Program to Integrate Information Technology into Clinical Education.
• 3016    Information Technology Professionals in Health Care.
• 3017    General Grant and Loan Provisions.

The delegation notice in the Federal Register is available here. For additional information pertaining to this delegation and to its substance, please read the referenced ARRA pages and visit the Office of the National Coordinator for Health Information Technology (ONC) website.

The Delegation of Authority was published in the August 4, 2009, Federal Register.