“The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.”

You may follow developments with this Final Rule at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Web site, and HIPAA.com will bring you updates as well.

Stay tuned!

[20100730]

]]> http://www.hipaa.com/2010/07/hhs-pulls-breach-notification-file-rule/feed/ 0 http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/ http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/#comments Wed, 28 Jul 2010 16:41:10 +0000 Ed Jones http://www.hipaa.com/?p=2293 The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010.  HIPAA.com provides the title, summary, effective date, and URL for each below.

Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495;  Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588.

Summary:  This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs that adopt and successfully demonstrate meaningful use of certified electronic health record (EHR) technology. This final rule specifies–the initial criteria EPs, eligible hospitals, and CAHs must meet in order to qualify for an incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs, eligible hospitals and CAHs failing to demonstrate meaningful use of certified EHR technology; and other program participation requirements.  Also, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related final rule that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC has also issued a separate final rule on the establishment of certification programs for health information technology. [p.44314]

Effective Date:  September 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf.

Department of Health and Human Services, Office of the Secretary, “45 CFR Part 170; Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule,”  Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44589-44654.

Summary:  The Department of Health and Human Services (HHS) is issuing this final rule to complete the adoption of an initial set of standards, implementation specifications, and certification criteria, and to more closely align such standards, implementation specifications, and certification criteria with final meaningful use Stage 1 objectives and measures.  Adopted certification criteria establish the required capabilities and specify the related standards and implementation specifications that certified electronic health record (EHR) technology will need to include to, at a minimum, support the achievement of meaningful use Stage 1 eligible professionals, eligible hospitals, and/or critical access hospitals (hereafter, references to ‘eligible hospitals’ in this final rule shall mean ‘eligible hospitals and/or critical access hospitals’) under the Medicare and Medicaid EHR Incentive Programs. Complete EHRs and EHR Modules will be tested and certified according to adopted certification criteria to ensure that they have properly implemented adopted standards and implementations specifications and otherwise comply with the adopted certification criteria. [p. 44590]

Effective Date:  August 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf.

These final rules follow on the June 24, 2010, publication in the Federal Register of ONC’s final rule:  Establishment of the Temporary Certification Program for Health Information Technology, with an effective date the same as the publication date.  HIPAA.com did a post on the Federal Register’s prepublication release of this rule on June 18, 2010.  [20100728]

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009. The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22. Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper)form and 75% in various electronic forms.

Of the 25 identified hard copy (paper) breaches, the largest category was “other,” which means that OCR either needs to require more detailed information on “what happened” of covered entities reporting breaches or to provide greater specificity regarding the category: Type of Breach, if covered entities provide such information.

Of the hard copy (paper) breaches providing information in that category, six involved theft, five unauthorized access, four improper disposal, four loss, and one incorrect mailing. Included in those totals are three compound types reported by covered entities: one theft/loss, one theft/unauthorized access, and one improper disposal/loss.

The OCR Web site that lists breaches is at: hhs.gov.

On Friday, July 2, 2010, OMB received from the Office of the Secretary at the Department of Health and Human Services (HHS) for review Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule.  The Interim Final Rule was issued on January 13, 2010, was effective February 12, 2010, and the public comment period ended on March 15, 2010.  From the Abstract:  ”The certification criteria adopted in this initial set establish the technical capabilities  and related standards that certified electronic health record (EHR) technology will need to include in support of the Medicare and Medicaid EHR Incentive Programs.”

On Monday, July 5, 2010, OMB received from HHS’ Center for Medicare & Medicaid Services (CMS) for review Electronic Health Record (EHR) Incentive Program; Final Rule. The Notice of Proposed Rulemaking (NPRM) was issued on January 13, 2010 (75 Federal Register 1843), and the public comment period ended on March 15, 2010.  From the Abstract:  ”The Medicare and Medicaid Health IT provisions in the American Recovery and Reinvestment Act of 2009 promote the adoption and meaningful use of certified electronic health records (EHRs).  The Recovery Act authorized incentive payments for eligible professionals (EPs) and hospitals participating in Medicare and Medicaid for becoming meaningful users of certified EHRs.  The law established maximum annual incentive amounts and includes Medicare penalties for failing to meaningfully use EHRs beginning in 2015, for professionals and hospitals that fail to adopt certified EHRs.”  This rule outlines statutory deadlines for the programs:

January 1, 2011:  Date can start incentive payments to EPs (Medicare)

October 1, 2010:  Date can start incentive payments to hospitals (Medicare)

The rule “[e]stablishes policies and procedures required before the incentive program can begin.  Additionally, supplemental payments are available in 2011 and 2012.  If eligible professionals and hospitals are not meaningful Electronic Health Record users by 2015, there will be a Medicare payment adjustment imposed.”

These two rules go together.  Because of upcoming deadlines, and the information contained therein relates to the Final Rule published in the Federal Register on June 24, 2010:  Establishment of the Temporary Certification Program for Health Information Technology; Final Rule (75 Federal Register 36157), it is likely that OMB will expedite review of the two referenced final rules and publication in the Federal Register will occur shortly thereafter.  (20100706)

Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:

13400:  Definitions

13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions

13402:  Notification in the Case of Breach

13403:  Education on Health Information Privacy

13404:  Application of Privacy Provisions and Penalties to Business Associates of Covered Entities

13405:  Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format

13406:  Conditions on Certain Contacts as Part of Health Care Operations

13407:  Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

13408:  Business Associate Contracts Required for Certain Entities

13409:  Clarification of Application of Wrongful Disclosures Criminal Penalties

13410:  Improved Enforcement

These sections appear in Subtitle D (Privacy) on pp. 258-276 of Public Law 111-5, which is available for download on hipaa.com.  The NPRM represents enabling rules for referenced statutory provisions from within some or all of those sections.

The Abstract of the NPRM is:

“The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

In addition to the NPRM discussed above, OMB still has under review the Final Rule entitled:  HIPAA Administrative Simplification; Notification in the Case of Breach (RIN:  0991-AB56), which would replace the Interim Final Rule that was published in the Federal Register on August 24, 2009 (74 Federal Register 42739-42770).

The Abstract of the Final Rule is:

“The Department will issue final rules for HIPAA covered entities and business associates with respect to breach notification of unsecured protected health information as required by section 13402 of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

(20100705)

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009.  The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22.  Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper) form and 75% in various electronic forms.  Of the electronic breaches, which included several in multiple electronic forms, 34 involved laptops, 15 desktops, 11 portable devices, 9 servers, and the remaining 11 miscellaneous forms (2 hard disks, 2 computers (not otherwise identified), 2 backup tapes, 2 electronic medical records (EMRs), 2 other (not identified), and 1 CD).

Of the 75 electronic breaches, 58, or 77%, involved theft, and 11, or 15%, involved unauthorized access, with 7 of those 11 also reported in association with theft.  There were six reported losses, or 8%, with 2 of those 6 also reported in association with theft.  There were four reported hacking incidents, or 5%, with 1 of those 4 also reported in association with unauthorized access.  Finally, there were 6, or 8%, defined as other, with 1 of those 6 also reported in association with theft.

Of the 34 breaches involving a laptop, 32, or 94% involved a theft, and the remaining 2 breaches, or 6%, involved a loss. Of the 11 breaches involving a portable device, 10, or 91%, involved a theft, with one, or 9%, a loss.  Whether a theft or loss, the evidence from the growing number of publicly reported breaches is that portable computers and devices must be encrypted to secure protected health information, in accordance with the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Federal Register 42742-42743) in order to avoid the growing costs to breaching entities of complying with provisions of the breach notification rule, reputational harms to those entities, and financial and inconvenience harms to affected individuals. [20100702]

The summary of the final rule is reproduced here:

“This final rule establishes a temporary certification program for the purposes of testing and certifying health information technology.  This final rule is established under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA), as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.”

The Medicare incentive program mentioned in the summary is expected to start in January 2011 and the Medicaid incentive program may start as early as the beginning of the fourth quarter of 2010, when the new federal fiscal year (FY  2011) starts.  (20100618)

“Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology. The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the National Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.” (75 Federal Register 11328) [emphasis added]

As the incentive programs for Medicare begin in 2011 and for Medicaid perhaps as early as the beginning of FY 2011 in October 2010, it is likely that the final rule relates to the temporary certification program as described in the bolded portion of the summary above.  (20100616)

On October 30, 2009, HHS published in the Federal Register the Interim Final Rule (IFR): HIPAA Administrative Simplification: Enforcement.[1] This IFR strengthened HIPAA enforcement of February 17, 2009-enacted HITECH Act penalty revisions, which were effective for violations beginning on February 18, 2009. The enforcement IFR was effective on November 30, 2009. This IFR followed by several months HHS Secretary Kathleen Sebelius’ delegation of enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR)[2], which had HIPAA Privacy Rule enforcement responsibilities since the April 14, 2003, compliance date for the Privacy Rule.

OCR’s unified enforcement of the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule and higher penalties increase the likelihood and severity of consequences of noncompliance with those rules, especially with the advent of compliance audits in addition of complaint investigations.

Before the February 17, 2009-enacted HITECH Act penalty revisions, civil penalties for HIPAA violations were $1000 for each violation or $25,000 for all violations of the same provision in a calendar year period. Under the HITECH Act, penalties are substantially increased and have been divided into four tiers, with a maximum of $1.5 million for all violations of an identical provision in a calendar year. The tiered Penalties now range as follows, for each violation:

• $100-$50,000 if the covered entity did not know an, by exercising reasonable diligence, would not have known, that it violated such provision.
• $1,000-$50,000 if the violation was due to reasonable cause and not to willful neglect.
• $10,000-$50,000 if the violation was due to willful neglect and was corrected “during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.”[3]
• $50,000 or more if the violation was due to willful neglect and was not corrected as required.

In announcing strengthened enforcement, OCR Director Georgina Verdugo said:

“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information…. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules… Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”[4]

Currently, there is at OMB for review as a Notice of Proposed Rulemaking (NPRM): Modifications to the HIPAA, Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act.[5] According to the Abstract: “The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D [Privacy] of the [HITECH Act].” After clearance at OMB, the NPRM will be published in the Federal Register. Be alert to NPRM modifications to privacy, security, and enforcement requirements, and the likelihood of relative quick—by HIPAA time standards—compliance dates for each through follow-on interim final rules.

Please visit the OCR Enforcement Web site for additional information now and updated information in the future.

[1] Department of Health and Human Services, Office of the Secretary, “45 CFR Part 160, HIPAA Administrative Simplification: Enforcement; Interim Final Rule,” Federal Register, v.74, n.209, October 30, 2009, pages 56123-56131. Citations to this document are in the format: 74 FR page(s). This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.

[2] OCR also is responsible for enforcement of the HITECH Act Breach Notification Rule. The delegation of enforcement of the HIPAA Security Rule was from the Centers for Medicare & Medicaid Services (CMS), which retains enforcement authority for the HIPAA Transaction and Code Set and Identifiers Rules. See Department of Health and Human Services, Office of the Secretary, “Office for Civil Rights; Delegation of Authority,” Federal Register, v.74, n.148, August 4, 2009, page 38630. This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/srdelegation.pdf.

[3] 74 Federal Register 56131.

[4] Department of Health and Human Services, “HHS Strengthens HIPAA Enforcement, “ news release, October 30, 2009, which is available online at: http://www.hhs.gov/news/press/2009pres/10/20091030a.html.

[5] This document, Regulation Identifier Number (RIN) 0991- AB57, was received at OMB on April 12, 2010, and attributes of this NPRM, but not its content, are available online at: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201004&RIN=0991-AB57.

This report comes several days after OCR’s release last Friday of its Draft Security Rule Guidance on Risk Analysis, the first in a series of guidances on security, that hipaa.com posted earlier today, and precedes the likely release later this month of the Notice of Proposed Rulemaking (NPRM):  Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, which is currently at the Office of Management and Budget (OMB) for review prior to publication in the Federal Register.

In addition, the renewed emphasis on HIPAA Security Rule compliance may be due in part to the growing number of posted “Breaches Affecting 500 or More Individuals” on the OCR Web site.

As of May 6, 2010, OCR had listed on this site 77 covered entities that had experienced such breaches, with the total number of affected individuals 2,430,167.  Of the total listed breaches, 63 involved covered entities only and 14, 0r 18%, involved a business associate in some manner.  Of the 72 reported breaches identifying whether paper or electronic protected health information (PHI) was involved, 18, or 25% involved paper and 54, or 75%, involved electronic media.  Forty-five of those 54 breaches, or just over 83%, were instances of theft or loss, most often laptop or other portable devices, highlighting the need for encrypting PHI to secure it on those electronic media according to NIST-validated standards identified in the August 24, 2009, HHS Guidance.  That Guidance was discussed in earlier hipaa.com postings and is available on this site .

With increased enforcement comes the need for greater attention paid to HIPAA Privacy and Security Rule compliance and training.  hipaa.com will announce new online HIPAA privacy and security training initiatives later this month.  You may register on hipaa.com to be notified of the training announcement.

On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010.  That is up from the 36 that OCR listed on its initial posting of the list on February 23, 2010.  The current list is available on the OCR Web site.

Clearly, more “awareness and understanding” training on security safeguards and privacy controls regarding use and disclosure of protected health information (PHI) is necessary.  Such training is required under the HIPAA Privacy and Security Rules and includes training regarding the new HITECH Act Breach Notification Rule requirements.

HIPAA.com will have announcements about such training in May, offerred through HIPAA School.  You may register on the hipaa.com site for email notification of further details about HIPAA School training, and for postings provided on hipaa.com.  (20100429)

“SUMMARY.  Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH ) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification  programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology.  The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the national Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.”

The Office of the National Coordinator for Health Information Technology requests written or electronic comments on the temporary certification program for receipt no later than 5 PM on April 9, 2010, and written or electronic comments on the permanent certification program no later than 5 PM on May 10, 2010.  Detailed instructions for submitting comments can be found on page 11328 of the NPRM referenced above.

Here are the appropriate authorities:

Section 13401 of Part 1 (Improved Privacy Provisions and Security Provisions) of Subtitle D (Privacy) of the HITECH Act (pp. 260): Application of Security Provisions and Penalties to Business Associates of Covered Entities

(a) Application of Security Provisions.  Sections 164.308 [Administrative Safeguards], 164.310 [Physical Safeguards], 164.312 [Technical Safeguards], and 164.316 [Policies and Procedures and Documentation Requirements] of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that related to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. [42 USC 17931]

(b) Application of Civil and Criminal Penalties.  In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provisions. [42 USC 17931]

NOTE:  Effective the day after of enactment of the HITECH Act (February 18, 2009), financial penalties were substantially increased for noncompliance with HIPAA standards, which cover policies, procedures, actions, assessments, and documentation requirements discovered during a compliance audit or complaint investigation.

Section 13423 of Part 2 (Relationship to Other Laws; Regulatory References; Effective Date; Reports) of Subtitle D (Privacy) of the HITECH Act (pp. 276):  Effective Date

Except as otherwise specifically provided, the provisions of part 1 shall take effect on the date that is 12 months after the date of the enactment of this title. [42 USC 17953]

Today marks the beginning of direct federal regulation of business associates’ compliance with the HIPAA Security Rule. [02/17/10]

42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions).

(a)  APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to a covered entity.  The additional requirements of this title that relate to security and that are applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.–In the case of a business associate that violates any security provision specified in subsection (a) [above], sections 1176 [General Penalty for Failure to Comply with Requirements and Standards] and 1177 [Wrongful Disclosure of Individually Identifiable Health Information] of the Social Security Act shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision….

42 USC 17953 (Section 13423:  EFFECTIVE DATE.  Except as otherwise specifically provided, the provisions of part 1 shall take effect on the data that is 12 months after the date of the enactment of this title [which was February 17, 2009].

If you are a covered entity, make sure that your business associates are aware to the upcoming Security Rule safeguards, policies and procedures, and documentation compliance provisions by February 17, 2010, and that your business associate agreement reflects this obligation. [01/18/2010]

“This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology.  The proposed rule would specify the initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements.  Also, as required by ARRA, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule [75 FR 2013-2047] that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.” [01/13/10]  This NPRM is available online here.

“The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act.  This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use.  The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.”  This IFR is a consequence of HITECH Act provisions that were enacted on February 17, 2009, as part of the American Recovery and Reinvestment ACT.  [01/13/10]  The IFR is available online here.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Treatment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”

Use

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.”

Vendor of Personal Health Records

An entity, other than a covered entity (as defined), that offers or maintains a personal health record.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Secretary

Secretary of [U.S. Department of] Health and Human Services.

Security

Has the meaning given such term in section 164.304 of title 45, Code of Federal Regulations [CFR].

“Security or Security measures encompass all of the administrative, physical, and technical safeguards in an information system.”

State

Each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Payment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“(1) The activities undertaken by:

(i)             A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan;

or

(ii)            A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i)             Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii)            Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii)           Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv)            Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v)             Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi)            Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A)             Name and Address;

(B)             Date of birth’

(C)             Social Security number;

(D)             Payment history;

(E)             Account number; and

(F)             Name and address of the health care provider and/or health plan.”

Personal Health Record

An electronic record of PHR identifiable health information (as defined in section 13407(f)(2)[1] on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

Protected Health Information

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)             Transmitted by electronic media;

(ii)            Maintained in electronic media; or

(iii)           Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)             Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)            Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)           Employment records held by a covered entity in its role as employer.”

[1] PHR Identifiable Health Information “means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information—(A) that is provided or on behalf of the individual; and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”  [HITECH Act, p.156]

A Message from Dr. David Blumenthal, National Coordinator for Health Information Technology

Today the Obama administration announced the availability of $60 million in Recovery Act funds to support the development of the Strategic Health IT Advanced Research Projects (SHARP) program. SHARP awards will fund research focused on identifying technology solutions to address well-documented problems impeding broad adoption of health information technology (health IT). By helping to overcome key challenges, the research will also accelerate progress towards achieving nationwide meaningful use of health IT. 

As we continue this unprecedented effort towards meaningful use and seamless, secure information exchange, we also must acknowledge that there remains a gap between the promise of health IT and the realization of its full benefits. To achieve the goal of a transformed health care delivery system, it’s critical that we close this gap by enabling a robust research infrastructure that can focus on areas where “breakthrough” advances are needed to help clear obstacles to adoption. Under the SHARP program, four awardees will receive funding to develop multidisciplinary research projects that will identify such breakthrough solutions. 

SHARP program awardees will create research programs that draw from many areas of expertise.  They will focus on issues of central interest to all health IT stakeholders, fostering considerable discussion and debate.  If for example, SHARP research helped identify new methods to create tools that will, through their incorporation into deployed technology, enhance data security, then public trust in the electronic maintenance and exchange of health information would be reinforced and strengthened – which would in turn help encourage broader adoption. 

Areas requiring this innovative research approach that will be tackled by the SHARP awardees include the security of health IT, patient-centered cognitive support, application and network platform architectures, and the secondary use of EHR data as a way of measuring and improving quality of care. 

Another important aspect of the SHARP program is that the research projects will bring together key stakeholders – researchers, patient groups, health care providers, and others – to work with one another to transform health IT research into applications. This collaborative approach allows us to consider the many voices of health IT stakeholders, and work together towards common goals. With our eyes on the vision of patient-centered, quality health care we can focus research on innovative, pragmatic, and realistic solutions, which can then be implemented across the nation. 

I truly look forward to seeing the innovative research that emerges from this program. I know that this research will provide critical insights that will bring us closer every day to a better, more efficient health care delivery system, enabled by health IT and empowered by the seamless and secure exchange of electronic health information.

Sincerely,

David Blumenthal, M.D., M.P.P. National Coordinator for Health Information Technology 
U.S. Department of Health & Human Services

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Health Care Provider

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“A provider of services (as defined in section 1861(u) of the [Social Security] Act, 42 U.S.C. 1395x(u)), a provider of medial or health services (as defined in section 1861(s) of the [Social Security] Act, 42 U.S.C. 1395x(s), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”

Health Plan

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS [Public Health Service] Act, 42 U.S.C. 300gg-91(a)(2).

(1) Health plan includes the following, singly or in combination:

(i)            A group health plan, as defined in this section.

(ii)          A health insurance issuer, as defined in this section.

(iii)         An HMO, as defined in this section.

(iv)         Part A or Part B of the Medicare program under title XVIII of the Act.

(v)          The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et.seq.

(vi)         An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).

(vii)       An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.

(viii)      An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(ix)         The health care program for active military personnel under title 10 of the United States Code.

(x)          The veterans health care program under 38 U.S.C. chapter 17.

(xi)         The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).

(xii)       The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et.seq.

(xiii)      The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et.seq.

(xiv)      An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et.seq.

(xv)       The Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.

(xvi)      A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.

(xvii)    Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(2) Health Plan excludes:

(i)            Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and

(ii)          A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):

A.  Whose principal purpose is other than providing, or paying the cost of, health care; or

B.  Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.”

National Coordinator

The head of the Office of the national Coordinator for Health Information Technology established under section 3001(a) of the Public Health Service Act, as added by section 13101.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Disclose

The terms ‘disclose’ and ‘disclosure’ have the meaning given the term ‘disclosure’ in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.”

Electronic Health Record

An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

Health Care Operations

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g)[1] are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of § 164.514,[2] creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.”

[1] “(g) Standard:  Uses and disclosures for underwriting and related purposes.  If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may not use of disclose such protected health information for any other purpose, except, as may be required by law.”

[2] “Other requirements relating to uses and disclosures of protected health information.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-12/feed/ 0 http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/ http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/#comments Tue, 08 Dec 2009 15:10:56 +0000 Ed Jones http://www.hipaa.com/?p=2017 From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Breach

(A) In General—The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions—The term ‘breach’ does not include—

1. Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if—
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
   2. Such information is not further acquired, accessed, used, or disclosed by an person; or
2. Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
3. Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

[Note:  The definition of 'breach' in the enabling regulation is different in several respects from the statutory definition above, including introduction of consideration of risk of harm to the individual:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [Privacy of Individually Identifiable Health Information] of this part [45 CFR 164:  Security and Privacy] which compromises the security or privacy of the protected health information.

(1)(i) For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

(ii) A use or disclosure of protected health information that does not include the identifiers listed at § 164.514(e)(2) [Implementation Specification for the Limited Data Set standard], date of birth, and zip code does not compromise the security or privacy of the protected health information.

(2) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

See Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160 and 164–Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” Federal Register, v. 74, n. 162, August 24, 2009, pp.42767-42768.]

Business Associate

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

1. On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
   1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
   2. Any other function or activity regulated by this subchapter; or
   3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.”

Covered Entity

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/feed/ 0 http://www.hipaa.com/2009/11/exploring-hipaa-and-hitech-act-definitions-part-10/ http://www.hipaa.com/2009/11/exploring-hipaa-and-hitech-act-definitions-part-10/#comments Wed, 25 Nov 2009 16:30:34 +0000 Ed Jones http://www.hipaa.com/?p=1986 From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. In this posting we highlight the last two definitions from the following HITECH Act section:

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Qualified Electronic Health Record

An electronic record of health-related information on an individual that—

(A) Includes patient demographic and clinical health information, such as medical history and problem lists; and

(B) Has the capacity—

1. To provide clinical decision support;
2. To support physician order entry;
3. To capture and query information relevant to health care quality; and
4. To exchange electronic health information with, and integrate such information from other sources.

State

Each of the several states, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Laboratory

Has the meaning given such term in section 353(a).

National Coordinator

The head of the Office of the National Coordinator for Health Information Technology established under section 3001(a).

Pharmacist

Has the meaning given such term in section 804(2) of the Federal Food, Drug, and Cosmetic Act.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

HIT Policy Committee

Such Committee established under section 3002(a).[1]

HIT Standards Committee

Such Committee established under section 3003(a).[2]

Individually Identifiable Health Information

Has the meaning given such term in section 1171(6) of the Social Security Act:

“Any information, including demographic information collected from an individual, that—

(A) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

1. Identifies the individual; or
2. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

[1] HIT Policy Committee (Establishment).
[2] HIT Standards Committee (Establishment).

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Health Information

Has the meaning given such term in section 1171(4) of the Social Security Act:

“Any information, whether oral or recorded in any form or medium, that—

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

Health Information Technology

Hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.

Health Plan

Has the meaning given such term in section 1171(5) of the Social Security Act:

“An individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 2791 of the Public Health Service Act.)  Such term includes the following, and any combination thereof:

(A) A group health plan (as defined in section 2791(a) of the Public Health Service Act), but only if the plan—

1. Has 50 or more participants (as defined in section 3(7) of the Employee Retirement Income Security Act of 1974); or
2. Is administered by an entity other than the employer who established and maintains the plan.

(B) A health insurance issuer (as defined in section 2791(b) of the Public Health Service Act).

(C) A health maintenance organization (as defined in section 2791(b) of the Public Health Service Act).

(D) Part A, B, or C of the Medicare program under title XVIII.

(E) The Medicaid program under title XIX.

(F) A Medicare supplemental policy (as defined in section 1882(g)(1)).

(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary [of HHS] determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

(I)  The health care program for active military personnel under title 10, United States Code.

(J)  The veterans health care program under chapter 17 of title 38, United States Code.

(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.

(L)  The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5, United State Code.”

As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates.  First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives. The lesson seems clear: train on HITECH and re-train on existing HIPAA rules–or pay some new and onerous penalties for workforce mistakes.

Here are three hard truths about the HITECH amendments. First, after HITECH, penalties for each violation of HIPAA can now exceed civil penalties for violating the anti-kickback statute. Second, HITECH mandates much more enforcement by HHS, including compliance audits, and allows enforcement by state Attorneys General. Third, under the recently adopted breach notification rules, covered entities are required to submit annually logs of protected health information (PHI) breaches to the Secretary of HHS. Because by definition each of those reported “breaches” involves a violation of the Privacy Rule, covered entities also will be informing the Secretary of their Privacy Rule violations. You won’t have to worry about possible whistleblowers; you are the whistleblower.

One major piece of good news in HITECH is that Congress provided that unless a violation is caused by willful neglect, penalties for the violation may be avoided by taking corrective action within 30 days. This is where training comes in, and where training pays off. A vigorous training program enables the workforce of a covered entity to identify violations quickly because the workforce knows what are proper PHI uses and disclosures and what are not. For example, if workforce members do not understand the concept of “minimum necessary”, they will not know that sending an entire medical record to a third party payer is highly likely to violate the Privacy Rule. If workforce members know what is the “minimum necessary” disclosure, they will either avoid an improper disclosure or move to correct it within the thirty-day corrective action grace period.

As with so many other areas of HIPAA, HITECH introduces many new concepts. New regulations have been published on unsecured breaches and more regulations are coming on privacy, security, and enforcement. Making these rules comprehensible to your workforce members (including management) and applicable to your environment requires training—and some re-training on the existing HIPAA Privacy and Security rules and how they all fit together.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Certified EHR Technology

A qualified electronic health record [EHR] that is certified pursuant to section 3001(c)(5)[1] as meeting standards adopted under section 3004[2] that are applicable to the type of record involved (as determined by the Secretary [of HHS], such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals).

Enterprise Integration

The electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law, and such term includes related application protocols and other related standards.

Health Care Provider

Includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center (as defined in section 1913(b)(1), renal dialysis facility, blood center, ambulatory surgical center described in section 1833(i) of the Social Security Act, emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician (as defined in section 1861(r) of the Social Security Act), a practitioner (as described in section 1842(b)(18)(C) of the Social Security Act), a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe (as defined in the Indian Self-Determination and Education Assistance Act), tribal organization, or urban Indian organization (as defined in section 4 of the Indian Health Care Improvement Act), a rural health clinic, a covered entity under section 340B, and ambulatory surgical center described in section 1833(i) of the Social Security Act, a therapist (as defined in section 1848(k)(3)(B)(iii) of the Social Security Act, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary [of HHS].

[1] ONCHIT (Duties of the National Coordinator (Certification)).
[2] Process for Adoption of Endorsed Recommendations; Adoption of Initial Set of Standards, Implementation Specifications, and Certification Criteria.

Protected Health Information

To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996:  Administrative Simplification.  These statutory definitions are of health information and individually identifiable health information.

“Health information means any information, whether oral or recorded in any form or medium, that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i)   That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (’Privacy’) of the HITECH Act.

“Protected health information means individually identifiable health information [defined above]:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)    Transmitted by electronic media;

(ii)   Maintained in electronic media; or

(iii)  Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)    Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)   Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)  Employment records held by a covered entity in its role as employer.”

The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.

With those definitions in place, the question becomes:  what elements comprise protected health information such that if they were removed, items (i) and (ii) of (2) in the definition of individually identifiable health information would not obtain.  The answer is in the de-identification standard and its two implementation specifications of the HIPAA Privacy Rule [45 CFR 164.514]:

“(a) Standard:  de-identification of protected health information.  Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

(b) Implementation specifications:  requirements for de-identification of protected health information.  A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i)   Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination; or

(2)

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

(c) Implementation specifications:  re-identification.  A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation.  The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security.  The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”

With HHS’s release of the Interim Final Rule, ‘Breach Notification for Unsecured Protected Health Information,’ published in the Federal Register on Monday, August 24, 2009, note the following:  ”If information is de-identified in accordance with 45 CFR 164.514(b) [the first implementation specification, defined above], it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.” [74 Federal Register 42743]

Question:  When will CMS begin to pay incentives to eligible professionals and hospitals for using certified Electronic Health Records (EHRs)?

Answer:  By statute [American Recovery and Reinvestment Act of 2009], the earliest dates that CMS will be able to pay an incentive under Medicare is October 1, 2010, for hospitals, and January 1, 2011, for eligible professionals.

The statute does not define a date for the Medicaid incentives program.  Given the range of regulatory and planning activities that must precede States being able to make provider incentive payments, as well as the importance of coordinating Medicaid and Medicare payments to prevent duplication, CMS does not expect that States will be able to make such payments until 2011.

Work is underway to define the meaningful EHR user criteria, as well as the requirements for applying for and receiving the EHR payment incentives.  CMS expects to issue a proposed rule in late 2009 [relating to these matters].

For information on the Medicare and Medicaid incentive programs, see Title IV, pp. 353-382 of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009, which is available for download on HIPAA.com.

Question:  Are physicians who practice in hospital-based ambulatory clinics eligible to receive the Recovery Act’s Medicare or Medicaid electronic health record (EHR) incentive payments.

Answer:  Hospital-based eligible professionals are ineligible for the EHR incentive payments under both Medicare and Medicaid.  Our [Department of Health and Human Services] forthcoming NPRM [Notice of Proposed Rule Making] will propose a definition for determining whether a physician or other eligible professional is hospital based.

For information on the Medicare and Medicaid incentive programs, see Title IV, pp. 353-382 of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009, which is available for download on HIPAA.com.

• 3011 Immediate Funding to Strengthen the Health Information Technology Infrastructure, including “invest[ment] in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual in the United States consistent with the goals outlined in the strategic plan developed by the National Coordinator…”.
• 3012 Health Information Technology Implementation Assistance, with the exclusion of assistance to any health information technology regional extension center as noted in the quote above.
• 3013    State Grants to Promote Health Information Technology.
• 3014    Competitive Grants to States and Indian Tribes for the Development of Loan Programs to Facilitate the Widespread Adoption of Certified EHR Technology.
• 3015    Demonstration Program to Integrate Information Technology into Clinical Education.
• 3016    Information Technology Professionals in Health Care.
• 3017    General Grant and Loan Provisions.

The delegation notice in the Federal Register is available here. For additional information pertaining to this delegation and to its substance, please read the referenced ARRA pages and visit the Office of the National Coordinator for Health Information Technology (ONC) website.

HHS’ Health Information Technology (IT) Policy Committee released on June 16, 2009, two documents pertaining to the definition of “meaningful use” for public comment by 5 PM ET, Friday, June 26, 2009. These documents are the Meaningful Use Preamble and Meaningful Use Matrix, available here. Information on providing public comment is available online, along with other information on the HIT Policy Committee and its activities.

In our previous posting on Meaningful Use, we outlined Health Outcomes Policy Priorities and Care Goals, and described the Meaningful Use Preamble and Meaningful Use Matrix. In this posting, HIPAA.com reproduces the draft recommendation 2011 Objectives and Measures for each of the five Health Outcomes Policy Priorities. We recommend that you review the previous posting prior to examining the 2011 Objectives and 2011 Measures. Remember, the deadline for public comment is 5 PM ET, Friday, June 26, 2009.

Meaningful Use Matrix

The meaningful use matrix outlines in Column 1 of eight columns five Health Outcomes Policy Priorities (P), and in Columns 3 and 4 2011 Objectives (O) and 2001 Measures (M), respectively.

(P) Improve quality, safety, efficiency, and reduce health disparities

» (O) Use CPOE for all order types including medications (OP, IP)

» (O) Implement drug-drug, drug-allergy, drug-formulary checks (OP, IP)

» (O) Maintain and up-to-date problem list (OP, IP)
Generate and transmit permissible prescriptions electronically (eRX)(OP)

» (O) Maintain active medication list (OP, IP)

» (O) Record primary language, insurance type, gender, race, ethnicity (OP, IP)

» (O) Record vital signs including height, weight, blood pressure (OP, IP)

» (O) Incorporate lab-test results in EHR (OP, IP)

» (O) Generate lists of patients by specific condition to use for quality improvement, reduction of disparities, and outreach (OP)

» (O) Send reminders to patients per patient preference for preventive/follow-up care (OP, IP)

» (O) Document a progress note for each encounter (OP)

» (M) Report quality measures, including

» % diabetics with A1c under control (OP)

» % hypertensive patients with BP under control (OP)

» % of patients with LDL under control (OP)

» % of smokers offered smoking cessation counseling (OP, IP)

» (M) % of patients with recorded BMI (OP)

» (M) % eligible surgical patients who received VTE prophylaxis (IP)

» (M) % of orders entered directly by physicians through CPOE

» (M) Use of high-risk medications in the elderly (OP, IP)

» % of patients over 50 with annual colorectal cancer screenings (OP)

» (M) % of females over 50 receiving annual mammograms (OP)

» (M) % patients at high-risk for cardiac events on aspirin prophylaxis (OP)

» (M) % of patients with current pneumovax (OP)

» (M) % eligible patients who received flu vaccine (OP)

» (M) % lab results incorporated into EHR in coded format (OP, IP)

» (M) Stratify reports by gender, insurance type, primary language, race, ethnicity (OP, IP)

(P) Engage patients and families

» (O) Provide patients with electronic copy of—or electronic access to—clinical information (including lab results, problem list, medication lists, allergies) per patient preference (e.g., through PHR)(OP, IP)

» (O) Provide access to patient-specific educational resources (OP, IP)

» (O) Provide clinical summaries for patients for each encounter (OP, IP)

» (M) % of all patients with access to personal health information electronically (OP, IP)

» (M) % of all patients with access to patient-specific educational resources (OP, IP)

» (M) % of encounters for which clinical summaries were provided (OP, IP)

(P) Improve care coordination

» (O) Exchange key clinical information among providers of care (e.g., problems, medications, allergies, test results)(OP, IP)

» (O) Perform medication reconciliation at relevant encounters (OP, IP)

» (M) Report 30-day readmission rate (IP)

» (M) % of encounters where med reconciliation was performed (OP, IP)

» (M) Implemented ability to exchange health information with external clinical entity (specifically labs, care summary and medication lists)(OP, IP)

» (M) % of transitions in care for which summary care record is shared (e.g., electronic, paper, eFax)(OP, IP)

(P) Improve population and public health

» (O) Submit electronic data to immunization registries where required and accepted (OP, IP)

» (O) Provide electronic submissions of reportable lab results to public health agencies (IP)

» (O) Provide electronic syndrome surveillance data to public health agencies according to applicable law and practice (IP)

» (M) Report up-to-date status for childhood immunizations (OP)

» (M) % reportable lab results submitted electronically (IP)

(P) Ensure adequate privacy and security protections for personal health information

» (O) Compliance with HIPAA Privacy and Security Rules and state laws

» (O) Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework [released by HHS’ Office of the National Coordinator for Health Information Technology on December 15, 2008, and available on the HIPAA.com site]

» (M) Full compliance with HIPAA Privacy and Security Rules

» (M) An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority

» (M) Conduct or update a security risk assessment and implement security updates as necessary.

The 2011 Objectives are described in the Meaningful Use Matrix header to Column 3 as follows:

“Goal is to electronically capture in coded format and to report health information and to use that information to track by clinical conditions.”

The Meaningful Use Preamble elaborates further:

“Although some recommended measure used to assess meaningful use in 2011 may apply to specific chronic diseases, the recommended 2011 objective are meant to establish a foundation for affecting a more comprehensive set of health outcomes in the future…. In identifying potential criteria for ‘meaningful use’ of an electronic health record, it became apparent that that there are considerable gaps in EHR-generated measures available to monitor key desired policy outcomes (e.g., efficiency, patient safety, care coordination)…. [T]hese measures will not be required for Medicare and Medicaid incentive payments until 2013….”

The Health IT Policy Committee

“is seeking feedback on how to best frame these measures including measurement of key public health conditions, measuring health care efficiency, and measuring the avoidance of certain adverse events. These comments will be used to help revise the recommended measurement strategy to include more extensive and refined outcome measures for ‘meaningful use’ in 2013 and beyond.

Remember, if you have a contribution to make concerning the definition of meaningful use, your comments should be submitted no later than 5 PM ET, on Friday, June 26, 2009. Instructions for submission are at the at the site shown at the healthit site shown at the beginning of this posting.

HHS’ Health Information Technology (IT) Policy Committee released on June 16, 2009, two documents pertaining to the definition of “meaningful use” for public comment by 5 PM ET, Friday, June 26, 2009. These documents are the Meaningful Use Preamble and Meaningful Use Matrix. Information on providing public comment is available online at the HHS website, along with other information on the HIT Policy Committee and its activities.

HIPAA.com outlines the draft recommendation on meaningful use in two postings, and recommends that its site visitors read the 3-page Meaningful Use Preamble: Meaningful Use: A Definition-Recommendations from the Meaningful Use Workgroup to the Health IT Policy Committee, June 16, 2009, prior to examining the Meaningful Use Matrix.

In this posting, we take a high level view of the content of the matrix, reproducing Health Outcomes Policy Priorities, embedded Care Goals, and summary Objectives for each of the years 2011, 2013, and 2015, and Measures for tracking objective performance in each of those years. In the next posting, HIPAA.com reproduces Objectives and Measures for 2011, the first year for which healthcare providers will be eligible for incentives under Medicare.

Meaningful Use Matrix

The meaningful use matrix outlines in Column 1 of eight columns five Health Outcomes Policy Priorities (P), and for each priority, in Column 2, Care Goals (G):

(P) Improve quality, safety, efficiency, and reduce health disparities

» (G) Provide access to comprehensive patient health data for patient’s health care team
» (G) Use evidence-based order sets and CPOE [computerized physician order entering]
» (G) Apply clinical decision support at the point of care
» (G) Generate lists of patients who need care and use them to reach out to patients (e.g., reminders, care instructions, etc.)
» (G) Report to patient registries for quality improvement, public reporting, etc.

(P) Engage patients and families

» (G) Provide patients and families with access to data, knowledge, and tools to make informed decisions and to manage their health

(P) Improve care coordination

» (G) Exchange meaningful clinical information among professional health care team

(P) Improve population and public health

» (G) Communicate with public health agencies

(P) Ensure adequate privacy and security protections for personal health information

» (G) Ensure privacy and security protections for confidential information through operating policies, procedures, and technologies and compliance with applicable law
» (G) Provide transparency of data sharing to patient.

For each set of priorities and embedded goals, there are three combinations of objectives and measures for three years:

» 2011: To electronically capture in coded format and to report health information and to use that information to track key clinical conditions

» 2013: To guide and support care processes and care coordination

» 2015: To achieve and improve performance and support care processes and on key health system outcomes.

The Meaningful Use Preamble from the Health IT Policy Committee recognizes that meaningful use will evolve over time as “considerable gaps in EHR-generated measures available to monitor key desired policy outcomes (e.g., efficiency, patient safety, care coordination)” are closed.  Hence, the objectives and measures for 2013 build on those of 2011, and those of 2015 build on those of the preceding years.

The Centers for Medicare & Medicaid (CMS) expects to issue a notice of proposed rulemaking (NPRM) relating to the EHR adoption incentive program and definition of meaningful use late in 2009.

We provide an excerpt from the beginning of the Executive Summary that highlights “large economic impacts” of health care reform, and the report’s conclusion (Section VII on pp. 38-39) that highlights that the current “American health care system is on an unsustainable path.”

Excerpt from Executive Summary

The Council of Economic Advisers (CEA) has undertaken a comprehensive analysis of the economic impacts of health care reform.  The report provides an overview of current economic impacts of health care in the United States and a forecast of where we are headed in the absence of reform; an analysis of inefficiencies and market failures in the current health care system; a discussion of the key components of health care reform; and an analysis of the economic effects of slowing health care cost growth and expanding coverage.

The findings in the report point to large economic impacts of genuine health care reform:

» We estimate that slowing the annual growth rate of health care costs by 1.5 percentage points would increase real gross domestic product (GDP), relative to the no-reform baseline, by over 2 percent in 2020 and nearly 8 percent in 2030.

» For a typical family of four, this implies that income in 2020 would be approximately $2,600 higher than it would have been without reform (in 2009 dollars), and that in 2030 it would be almost $10,000 higher. Under more conservative estimates of the reduction in the growth rate of health care costs, the income gains are smaller, but still substantial.

» Slowing the growth rate of health care costs will prevent disastrous increases in the Federal budget deficit.

» Slowing cost growth would lower the unemployment rate consistent with steady inflation by approximately one-quarter of a percentage point for a number of years. The beneficial impact on employment in the short and medium run (relative to the no-reform baseline) is estimated to be approximately 500,000 each year that the effect is felt.

» Expanding health insurance coverage to the uninsured would increase net economic well-being by roughly $100 billion a year, which is roughly two-thirds of a percent of GDP.

» Reform would likely increase labor supply, remove unnecessary barriers to job mobility, and help to “level the playing field” between large and small businesses.

Conculsion

The American health care system is on an unsustainable path.  Expenditures as a share of GDP are already substantially higher than in other developed countries, and are projected to grow rapidly in the next three decades.  This growth threatens to have a devastating impact on the growth in workers’ take-home pay and the government budget deficit.  It is also likely to increase the number of Americans without health insurance from its already very high level and thus undermine the health of our population.

Successful health care reform will slow the growth rate of health care costs, maintain choices of doctors and health plans, and expand coverage.  Slowing the growth rate of costs by 1.5 percentage points per year would have a dramatic impact on the trajectory of health care expenditures as a share of GDP over time.  Slowing the growth rate of costs by a smaller amount (0.5 or 1.0 percentage point per year) would have smaller, but still important effects.

Our analysis shows that successful health care reform would have major benefits for the U.S. economy.  Over time, the slowing of cost growth through increased efficiency would bring about substantial increases in Americans’ standard of living.  It will also prevent devastating increases in the budget deficit and raise capital formation.  We estimate that slowing health care cost growth by 1.5 percentage points will increase real GDP in 2030 by nearly 8 percent relative to what would happen without reform.  We also find that slowing cost growth is likely to lower the unemployment rate consistent with steady inflation by roughly one-quarter of a percentage point for an extended period.

The net welfare effects of expanding coverage to the uninsured are also likely to be very large-probably in the range of $100 billion each year.  Genuine reform will also likely increase labor supply, reduce job lock, and aid small businesses.

The kind of reform that will bring about these economic rewards will not be easy.  It will require truly game-changing innovations in many areas.  But, if we can bring about such changes, there will be substantial benefits to American households, businesses, and the economy as a whole.

Section 3012 of the Public Health Service Act (PHSA), as added by the HITECH Act, authorizes a Health Information Technology Extension Program to make assistance available to all providers, but with priority access to Health IT for the uninsured, underinsured, historically underserved and other special-needs populations, and use of that technology to achieve reduction in health disparities.

The major focus for the Centers’ work with most of the providers that they serve will be to help to select and successfully implement certified electronic health records (EHRs). Assistance is NOT limited to new users, but may also be provided to existing EHR users who need technical assistance to achieve “meaningful user” status.

Goals of the HITRC are to: encourage adoption of electronic health records by clinicians and hospitals; assist clinicians and hospitals to become meaningful users of electronic health records; and increase the probability that adopters of electronic health record systems will become meaningful users of the technology.

The centers shall offer to all providers in a designated region access to information and to some level of assistance. The regional centers will become, upon award, members of a consortium that will be coordinated and facilitated by the to-be-established Health Information Technology Research Center.

We expect that each HITRC will provide technical assistance within a defined geographic area, and that each defined geographic area will be served by only one center.

To apply to host a center, an entity may have to:

» Define the geographic region and the provider population within that region it proposes to serve.
» Describe proposed levels and approaches of support for prioritized and other providers to be served.
» Address how the applicant would structure its organization and staffing to enable providers served to have ready access to reasonably local health IT “extension agents” and provide training and on-going support for these critical workers.
» Demonstrate the capacity to facilitate and support cooperation among local providers, health systems, communities, and health information exchanges.
» Propose an efficient and feasible strategy to furnish deep specialized expertise broadly to all providers served and intensive, individualized, “local” presence from an interdisciplinary extension agent to smaller groups of providers assigned to individual agents.

Initially, HITRC would have to provide matching funds, but ONC proposes to exercise the option in the HITECH Act to not require matching funds for awards made in FY 2010. It anticipates providing $1 – $2 million per center, with the largest center receiving a maximum of $10 million.

Centers will begin to be awarded in the first quarter of fiscal year 2010 (October – December 2009), and awards will continue through the end of fiscal year 2010 (September 2010).

The comment period is open for two weeks, and must be received not later than 5 p.m., June 11, 2009. Electronic responses are preferred and should be addressed to HealthIT-comments@hhs.gov.

E9-12419 ONC Guidance on HITRC.pdf

Of the many comments the FTC seeks is to identify entities that would fall under this ruling. We believe this rule will strengthen the trust consumers/patients have in sharing information in their PHRs with their health care providers. Major players entering the PHR market such as Google and Microsoft in March 2009 said HIPAA Privacy and Security Rules did not apply to them, but comments on the FTC’s NPRM may assist in helping the technology giants rethink compliance with privacy and security.  What do you think?

You can read the NPRM here.

Make comments to the NPRM here:

FTC Publishes Proposed Breach Notification Rule for Electronic Health Information

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. ARRA recognized new types of Web-based entities that collect or handle consumers’ sensitive health information. Some offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information, a real plus for patients managing chronic illnesses such as diabetes and heart conditions. Other online applications help consumers track and manage information in their personal health records, such as connecting a pedometer to computers and uploading miles traveled, heart rate, and other data. Patients with cancer can enter chemotherapy regimens, scheduled appointments, tumor staging, and recovery plans, a critical tool for cancer survivors. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

With respect to the scope of the proposed rule, the Commission seeks comment on (1) the nature of entities to which its proposed rule would apply; (2) the particular products and services they offer; (3) the extent to which vendors of personal health records, PHR related entities, and third party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities; (4) whether some vendors of personal health records may have a dual role as a business associate of a HIPAA-covered entity and a direct provider of personal health records to the public; and (5) circumstances in which such a dual role might lead to consumers’ receiving multiple breach notices or receiving breach notices from an unexpected entity, and whether and how the rule should address such circumstances.

With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation.

If you are a business associate, your “To-Do” list looks similar to the list the covered entities complied with in 2004. These tasks include: appointing a Security Official; developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails); and training workforce on how to protect electronic protected health information (“EPHI”). Also, effective immediately:

» You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
» If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
» For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
» You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.

Penalties for ePHI Violations

Application of the Security Rule to business associates of covered entities is a significant change. Previously, if there were a breach involving a business associate of which the covered entity were aware, then the covered entity could just terminate the contract if the breach was not remedied. Responsibility and liability rested with the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. A breach requires notification, which is triggered when there is an incident of “unsecured protected health information.” The Secretary of HHS is required to issues guidance on what constitutes “unsecured protected health information” within 6o days of February 17, 2009. In the absence of such guidance in the time specified, then a default definition pertaining to a failure of encryption as endorsed by the National Institute of Standards and Technology (NIST) of such information obtains. The notification provision requires both covered entities and business associates to notify affected parties directly and individually in a timely manner, and to use appropriate public media for cases involving over 500 individuals. This is a specification that was not defined under HIPAA Administrative Simplification. Increased penalties for a breach by a covered entity are immediately effective and will be outlined in a subsequent posting.

Covered entities should notify their business associates of the security rule, notification, and enforcement penalty changes in ARRA, and begin working on a plan to revise their business associate contracts to reflect the changes. HIPAA.com has started a series that will review over the coming weeks each of the administrative, physical, and technical standards and implementation specifications of the Security Rule. Earlier this week, we discussed the risk analysis as part of the security management process, and complete discussion of that security standard with three additional implementation specifications of that standard.

• Download (Requires Acrobat Reader)

In the meantime, we know that health information policy and privacy/security provisions will be included in the final version of the ARRA legislation. Accordingly, we believe that now is a good time to think about reviewing your security plan for securing electronic protected health information. Remember, this applies to all covered entities, who are required to safeguard electronic protected health information under the HIPAA Administrative Simplification Security Rule, and electronic, oral, and written protected health information under the HIPAA Administrative Simplification Privacy Rule. The definition of covered entity in a final ARRA bill may extend the definition and responsibilities of a covered entity to business associates. So, to get started, the first task would be to review your risk management program. Start by reviewing the 2008 Revision of NIST Guide for Implementing HIPAA Security Rule available at HIPAA.com, and your written risk assessment analysis that is required of covered entities.

Risk management is the process of evaluating threats and vulnerabilities, and then designing a strategy for handling and mitigating those threats and vulnerabilities. The foundation of your security plan is based on conducting your risk assessment, and periodically reviewing and updating it.

Three principles provide the foundation for security of electronic health information:

» Integrity: information has not been altered or destroyed without proper authorization.

» Confidentiality: information is only available or disclosed to persons authorized to receive it.

» Availability: information is accessible and useable upon demand by authorized persons.

» Each of these principles underlie security in administrative, technical, and physical standards.

• Download (Requires Acrobat Reader)

• Download (Requires Acrobat Reader)