The Summary in the pre-publication version states:  ”This interim final rule with comment period implements parts of section 1104 of the Affordable Care Act which requires adoption of a standard for electronic funds transfers (EFT).  It defines EFT and explains how the adopted standards support and facilitate health care EFT transmissions.”  These standards relate to Administrative Simplification transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Comments must be received by the Department of Health and Human Services (HHS) within 60 days of the publication date of the IFR, with instructions for submitting comments included in the front material of the IFR.  The compliance date for the IFR is January 1, 2014.

The legal authority for the IFR is Section 1104 (Administrative Simplification) of the Affordable Care Act.  Section 1104 amends the Purpose of Administrative Simplification, as indicated in bold here:  ”To improve efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information and to reduce the clerical burden on patients, health care providers, and health plans.” [124 STAT.146]  Section 1104 also requires that a new Administrative Simplification Electronic Funds Transfers Standard and Operating Rule be adopted on an effective date  ”not later than January 1, 2012, in a manner ensuring that such standard is effective not later than January 1, 2014,” which may be “on an interim final basis.”  [124 STAT. 153 and 149, respectively] The compliance date for health plans is “not later than the effective date of the applicable standard or operating rule,” which would be in this case December 31, 2013. [124 STAT. 150]

The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards.  CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period….  If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” [emphasis added]

CMS further stated:  ”OESS made the decision for a discretionary enforcement period based on industry feedback revealing that, with only about 45 days remaining before the January 1, 2012 compliance date, testing between some covered entities and their trading partners has not yet reached a threshold whereby a majority of covered entities would be able to be in compliance by January 1. [emphasis added] Feedback indicates that the number of submitters, the volume of transactions, and other testing data used as indicators of the industry’s readiness to comply with the new standards have been low across some industry sectors.  OESS has also received reports that many covered entities are still awaiting software upgrades.”

CMS also allowed a near last minute compliance contingency period in July 2003, just prior to the October 16, 2003, compliance date for the current version of HIPAA transaction standards.  This allowance of a contingency period is counter to the discussion in the 5010 Final Rule, given the degree of readiness as evidenced in the preceding paragraph, but understandable as many covered entities rely on outside vendors to provide software updates.  At some point, and certainly not as long as the first contingency period, CMS will provide an announcement similar to what it issued on August 4, 2005:  after a date certain, CMS “[would] not process incoming non-HIPAA-compliant electronic Medicare Claims.”

Nevertheless, covered entities (and their business associates) should not believe that the Office for Civil Rights (OCR), responsible for HIPAA privacy and security enforcement, would provide a similar near last minute compliance contingency period for the forthcoming Omnibus HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, which OCR has indicated on several occasions would be published in the Federal Register by yearend 2011, with compliance expected 240 days after publication. We have discussed these Rules in recent HIPAA.com posts.  Unlike the CMS-enforced transaction standards, the OCR-enforced privacy and security standards for safeguarding protected health information are inside responsibilities of management and Privacy and Security Officials of covered entities and their business associates that know their operational workflows best and can identify threats and vulnerabilities to electronic systems containing protected health information.  The common element is that ultimately compliance is the obligation of the covered entity, and achieving timely compliance with transaction standards in early 2012 and privacy and security standards later in 2012 should be a strategic focus.

OCR describes its audit procedures on its Web site, including providing a sample letter of notification of audit.  We reproduce here for your information a selection of the information available on that site:

“Overview: The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance.   Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012.

Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities. Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.

When Will Audits Begin? The pilot audit program is a three-step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011 [emphasis added].The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012.

Who Will Be Audited? Every covered entity and business associate is eligible for an audit [emphasis added].  Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.  Business Associates will be included in future audits.

How Will the Audit Program Work? The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report [emphasis added]. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.

What is the General Timeline for an Audit? When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information [emphasis added].

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

What Happens After an Audit? Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit, which clearly identifies the audited entity.

How Will Consumers Be Affected? The audit program represents one more avenue by which OCR ensures compliance with HIPAA protections of health information to the benefit of consumers. For example, the audit program may uncover reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information. Concerns about compliance identified and corrected by an audit will serve to improve the privacy and security of health records. The technical assistance and best practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure. OCR continues to accept complaints from individuals and covered entities continue to have the obligation to accept complaints from persons about their HIPAA Rule activities.“

You may wish to visit the OCR audit Web page to view graphical timelines that are discussed but not shown here.

Again, HIPAA.com recommends that covered entities and business associates ensure that they are able to demonstrate compliance by having readily available documented evidence of:   a current risk assessment; implemented administrative, physical, and technical safeguard policies and procedures for mitigating risk to protected health information (PHI); and completed training of workforce members (including management) on those safeguards.

On November 4, 2011, OCR reported a total of 364 such breaches, up from 345 in its previous post in October.  The 364 breaches have impacted 18,190,451 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to September 14, 2011.   The increase of 6,230,963 impacted individuals represents a skyrocketing jump of just over 52% from the 11,959,488 accounted for in the October post of 345 breaches.  Two breaches accounted for most of that increase: TRICARE Management Activity (Virginia) loss of backup tapes on September 13, 2011, impacting 5,117,799 individuals; and The Nemours Foundation (Florida) loss of backup tapes on August 10, 2011, impacting 1,055,489 individuals.  The TRICARE breach also involved a business associate.  Overall, just under 20% of the reported breaches involve a business associate.

As HIPAA.com has reported before from an analysis of the breach data on the OCR Web site, 3 of 4 breaches involve electronic devices and media and 1 in 4 involve hard copy media, such as paper records and x-ray films.  Of the electronic breaches, approximately 3 of 5 involve mobile or portable devices or media, but they represent over 92% of reported theft or loss in electronic breaches.

The growing number of individuals affected by privacy and security breaches heightens the need by OCR to issue the Final Privacy, Security, Breach Notification, and Enforcement Rules and strengthen enforcement and accountability through compliance audits and complaint and breach investigations to ensure compliance with those Rules. Covered entities and business associates must pay more attention to conducting risk assessments and mitigating risks through privacy and security safeguard policies and procedures, and especially training their workforce members to safeguard electronic, hardware, devices, and media containing protected health information (PHI).

From HIPAA.com’s previous postings on breaches, you know that remediating breaches is costly, not only financially, but also in time, potential damage to reputation and customer goodwill, and lost business.  The Ponemon Institute, a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study.  According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data).  Looking just a OCR’s publicly disclosed 365 breaches, affecting nearly 18.2 million individuals, potentially the cost is just under $3.9 billion for remediation.  The August 3, 2011, HDM Breaking News article mentions that “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.”  As the old automotive oil filter TV ad stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.

OCR has indicated on several occasions this year that the final Omnibus Privacy, Security, Breach Notification, and Enforcement Rules will be published in the Federal Register by the end of 2011. Documentation from the Office of Information and Regulatory Affairs (Reginfo.gov) of the Office of Management and Budget (OMB) shows the timetable for final action indicated a September 2011 date, which is now past.

What is taking so long to get these Final Rules released and published in the Federal Register?  Since its enactment, HIPAA Privacy and Security Rules were characterized as having lax enforcement and accountability, and low financial penalties for non-compliance.  Such an environment leads to complacency.  That environment changed with enactment of toughened enforcement requirements and significant increased penalties in the HITECH Act, which HIPAA.com has discussed in earlier posts.

Enforcement examples include extension of privacy and security requirements to and direct federal regulation of business associates, random compliance audits in addition to complaint and breach investigations, civil enforcement by state attorneys general in federal court, individual liability for certain violations, breach notification requirements, and guidance on securing protected health information.

Although only one of several enforcement agreements this year, HHS’ July 2011 costly and onerous Resolution Agreement/Corrective Action Plan with UCLA Health System, which requires that policies and procedures for safeguarding protected health information are in place and that workforce members are trained on those safeguards, is indicative of the severity of consequences to come for non-compliance with full enablement of the Omnibus Final Rules.  HIPAA.com recommends that you read the provisions of the Corrective Action Plan to understand the extent of the risk assessment, policy and procedure documentation, and workforce safeguard training requirements.

It is time to get the enabling Final Rules published in the Federal Register.  Perhaps then, and certainly after expected compliance with the Rules is required in 2012, covered entities and their business associates will sharpen focus on safeguarding protected health information that is created, stored, in motion, or disposed of, thereby lessening the likelihood and consequences of breaches and detection of non-compliance via audits and investigations.

HIPAA.com directs your attention to two recent October 2011 articles in Government Health IT that will help covered entities and their business associates address compliance issues and handle breach investigations.  The first article is entitled:  ”3 Tips for surviving an OCR breach investigation.”  Titles of these tips are:  1.  Be prepared before an incident occurs; 2. Educate the investigator; and 3.  Ask for help. The second article is entitled:  ”9 steps to take during an OCR data breach investigation.”  Titles of these steps are:  1.  Learn your HIPAA status; 2. Get HIPAA/HITECH complaint; 3.  Get help; 4.  Determine who is financially responsible; 5. Aim for an ‘informal resolution’ in an OCR investigation; 6.  Create a defensible response strategy; 7.  Don’t flunk the ‘attitude test’; 8.  Make a clean finish; and 9. Exceed OCR’s expectations if a settlement is required.  HIPAA.com recommends that you access these articles and consider the advice under each tip and step.

HIPAA.com reiterates a concluding paragraph from its preceding post, entitled Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines:

Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST).  Then, prepare, document, and retain your required policies and procedures for safeguarding protected health information based on risk assessment outcomes. Finally, train your workforce members (including management) on HIPAA/HITECH Act privacy, security, and breach notification requirements, with information on online privacy, security, and breach notification awareness and understanding training and testing available at hipaa.com’s sister entity, HIPAA School, or, if you are a member of the American Medical Association, at AMA HIPAA School.

On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the so-called stimulus package known as the American Recovery and Reinvestment Act (Public Law 111-5).  Enhanced privacy and security provisions—including extension of requirements to Business Associates of Covered Entities, specification of breach notification requirements for unsecured protected health information, and substantially increased penalties for noncompliance—were included in the HITECH Act.  These provisions have been encapsulated in notices of proposed rulemaking and interim final rules.  The federal government has indicated that Final Rules for Privacy, Security, Breach Notification, and Enforcement will be published in the Federal Register simultaneously—no later than the end of 2011, and expected in September as noted by the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB), with HDM Breaking News on July 7, 2011, reporting that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) “confirms that anticipated timetable.” If so, and with compliance required by Covered Entities and Business Associates for privacy and security changes 240 days following publication, compliance would be required most likely in May 2012.  Note, that as interim final rules, breach notification requirements and enforcement penalties, already require compliance and are effective, respectively.

On Sunday, August 21, 2011, we say HAPPY 15^th ANNIVERSARY, HIPAA! We also note that, up until passage of the HITECH Act, the Congress was penurious in providing enforcement funding, the federal government was lax in delivering meaningful enforcement, even given the resources it had, and penalties were trivial for HIPAA violations.  See the June 2, 2011, HHS news release, Security Gaps May Threaten Electronic Health Records, which provides links to two Office of Inspector General reports. A measure of the laxity is the public disclosure of breaches since September 23, 2009, when public disclosure was required by regulation under the HITECH Act on OCR’s Web site.  As of August 17, 2011, there have been almost 11.6 million individuals impacted by 300 breaches affecting a minimum of 500 individuals per breach.  Approximately 3 out of 4 of these breaches involve electronic media, the rest hard copy such as paper or film, and about 18% involve a business associate of a covered entity.  In addition, HDM Breaking News on August 3, 2011, reported OCR has acknowledged that from inception of public disclosure in September 2009 through mid-May 2011, there have been 31,000 breaches affecting fewer than 500 individuals per breach, which only have to be reported to HHS annually.  As a result of federal enforcement laxity, a large number of covered entities have been dismissive of or just given lip service to the need to invest in securing protected health information, including conducting risk assessments, developing policies and procedures for safeguarding such information, and training their workforce members on implementing and practicing those safeguard procedures.  This is evidenced by the incidence of stolen mobile and portable electronic devices containing protected health information that are not encrypted, as shown by an analysis of the publicly disclosed breaches on the OCR Web site, studies in the literature, and anecdotally.

HIPAA.com recommends that if you are working for or represent a Covered Entity or Business Associate that you review examples of Corrective Action Plans in HHS Resolution Agreements, such as the Corrective Action Plans Between the United States Department of Health and Human Services and the General Hospital Corporation and Massachusetts General Physicians Organization, Inc (February 14, 2011), and Between the United States Department of Health and Human Services and the Regents of the University of California (July 6, 2011). These Corrective Action Plans will give you an appreciation of required measures and strict timelines that you likely will face following a breach, complaint investigation, or compliance audit where it is determined that your business is not in compliance with HIPAA Privacy, Security, or Breach Notification Rules.

Below, we provide excerpts from provisions of the referenced Corrective Action Plan (CAP) for UCLA Health System that is part of the Regents of the University of California Resolution Agreement:

“III.  Term of CAP

The period of compliance obligations … shall begin on the Effective Date [July 6, 2011] and end three (3) years from the date of OCR’s approval of the Monitor Plan….

V.  Corrective Action Obligations

• Policies and Procedures

1. …Shall review, revise and maintain, as necessary, existing policies and procedures and develop, implement and maintain, as necessary, written policies and procedures related to the Covered Conduct that comply with the Federal standards [under the Privacy and Security Rules].
2. …Shall provide such Policies and Procedures, consistent with paragraph 1 above, to HHS within 60 days of the Effective Date for review and approval.  Upon receiving any recommended changes to such Policies and Procedures from HHS, …shall have 60 days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to HHS for review and approval.
3. …Shall implement such Policies and Procedures within 60 days of receipt of HHS’ approval.

• Distribution and Updating of Policies and Procedures

1. …Shall distribute the Policies and Procedures in section A to all members of its workforce who have access to protected health information within 30 days of HHS approval … and to new members of the workforce who have access to protected health information within 30 days of their beginning of service.
2. …Shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who have access to protected health information, stating that the workforce members have read, understand or know where to seek information about and will abide by such Policies and Procedures.  Such written or electronic certification must be received [by the Covered Entity]… within 30 days of any workforce member’s receipt of the Privacy Policies and Procedures and if such certification is not received that workforce member shall not be permitted to perform any services for [the Covered Entity] that involves protected health information until and unless such certification is received.
3. …Shall assess, update, and revise, as necessary, the Policies and Procedures at least annually and more frequently if appropriate.  …Shall provide such revised Policies and Procedures to HHS for review and approval….  Within 30 days of the effective date of any approved substantive revisions, [the Covered Entity] shall distribute such revised Policies and Procedures to all members of its workforce who have access to protected health information, and shall require and obtain new compliance certifications from all members of its workforce who have access to protected health information.

• Minimum Content of the Policies and Procedures and Reportable Events

The Policies and Procedures shall include but not be limited to:

1. Instructions and procedures (a) that address permissible and impermissible uses and disclosures of protected health information by various categories of workforce members and (b) that address security awareness standards, information access management standards, workstation use standards, authorization and/or supervision standards and workforce clearance procedures.
2. Application of appropriate sanctions against members of the Covered Entity’s workforce who fail to comply with Policies and Procedures provided for in [paragraph 1] above.
3. Protocols for training all members of the Covered Entity’s workforce who have access to protected health information to ensure that they know how to comply with the Policies and Procedures provided for in [paragraph 1] above.

• Training

1. All members of the workforce who have access to protected health information shall receive specific training related to the Policies and Procedures within 90 days of the implementation of the Policies and Procedures or within 30 days of their beginning as a member of the workforce.
2. Each individual workforce member who is required to attend training shall certify, in writing or in electronic form, that he or she has received the required training.  The training certification shall specify the date training was received.  All course materials shall be retained….
3. …Shall review the training annually, and, where appropriate, update the training to reflect changes in federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
4. …Shall prohibit any member of its workforce from using, disclosing, or disposing of protected health information, if that workforce member has not completed the requisite training required by [paragraph 1] above.”

In addition to the provisions outlined above, the Corrective Action Plan also requires that [the Covered Entity] “shall designate an individual or entity to be a monitor to review [the Covered Entity’s] compliance with this CAP,” and outline duties of the monitor, documentation retention requirements, and reporting schedules to HHS regarding fulfillment of the compliance obligations under the CAP.

From previous postings on hipaa.com, you know that remediating breaches is costly, not only in financial terms, but also in time and potential damage to reputation and customer goodwill.  The Ponemon Institute, a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study. According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data).  Looking just at OCR’s publicly disclosed 300 breaches, affecting nearly 11.6 million individuals, potentially the cost is just under $2.5 billion for remediation.  The August 3, 2011, HDM Breaking News article referenced earlier also mentions that “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.”  As the old automative oil filter TV ad stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to protected health information is a cost-effective and wise investment, especially with toughened enforcement and significantly higher financial penalties for noncompliance just around the corner.

Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST).  Then, prepare, document, and retain your required policies and procedures for safeguarding protected health information based on risk assessment outcomes. Finally, train your workforce members (including management) on HIPAA/HITECH Act privacy, security, and breach notification requirements, with information on online privacy, security, and breach notification awareness and understanding training and testing available at hipaa.com’s sister entity, HIPAA School, or, if you are a member of the American Medical Association, at AMA HIPAA School.

Final privacy, security, breach notification, and enforcement rules will be out soon and the time to achieve compliance–240 days from publication in the Federal Register–is short.  We recommend that you start now.

“HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information.  The purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.  Pursuant to both the HITECH Act and its more general authority under HIPAA, the Department [HHS] proposes to expand the accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set.  Under its more general authority under HIPAA, the Department also proposes changes to the existing accounting requirements to improve their workability and effectiveness.”

There are several points worth noting in the NPRM.  First, HHS  includes “a direct reference to business associates in the standard to make clear that the covered entity must include accounting information for all disclosures by the covered entity’s business associates that create, receive, maintain, or transmit designated record set information.”  [p. 31430, emphasis added]  Second, “[c]overed entities must provide individuals with notices of privacy practices that detail how the covered entity may use and disclose protected health information and individuals’ rights with respect to their own health information. Beginning on January 1, 2013, individuals would have the right to receive a report of who accessed their electronic protected health information that covers a three-year period from the date of the request.  Covered entities would have to revise their privacy notices to reflect this change.” [p. 31445]  HHS estimates that 669,000 health care providers would have to revise and reissue their notices of privacy practices.  Next, HHS is “proposing that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication [in the Federal Register]).  We are proposing that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009. ” [p. 31429].  Finally, HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012. [20110531]

As of April 4, 2011, OCR reported a total of 256 breaches have impacted 10,202,051 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to February 8, 2011. One of seven newly posted breaches on the Web site put the number of affected individuals over 10 million:  California-based Health Net, Inc. reported a breach affecting 1.9 million individuals on January 21, 2011 from an “unknown” type of breach  and “other ” location of breached information.  Health Net issued a news release pertaining to this reported incident on March 14, 2011, which is available online.  In that news release, Health Net indicated that a business associate, IBM,  had notified Health Net that “it could not locate several server drives.” Health Net is continuing to investigate the whereabouts of those drives and is offering affected parties several risk mitigation monitoring and insurance remedies to potential misuse of personal health information (PHI) identifiers and resultant consequences.

The growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement, and for covered entities and business associates to increase attention paid to compliance with HIPAA/HITECH Act privacy and security rules, especially training of workforce members to safeguard electronic, hardware, devices, and media containing PHI.

As of March 17, 2011, OCR had posted on its Web site 249 breaches that had impacted 8,289,236 individuals reported by covered entities. [1] The dates of these breaches ranged from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to January 12, 2011. Forty-eight cases reported by covered entities—19.3%–were breaches that involved a business associate.  Excluding 12 breaches without identifying information, approximately 75% (177) of the total involved electronic protected health information (PHI) and 25% (58) hard copy formatted PHI.  Several reported breaches involved electronic and hard copy formatted PHI.

With regard to type of breach, there were 24 of 249 reported breaches without sufficient detail.  Of the remainder, 139 breaches, or just about 62%, involved theft, and 37 breaches, or just over 16%, involved loss.  Together, theft and loss accounted for 168 reported breaches, or just over 78% of the total number of breaches that impacted 500 or more individuals per incident.  The remaining types of the most prevalent breaches included unauthorized access (38), hacking (22), and improper disposal (14).  Twenty-five of reported breaches involved a combination of types.

With regard to the 177 privacy and security breaches involving electronic PHI, 104, or approximately 59%, involved laptops and portable electronic devices (PEDs)—not otherwise identified.  All but 4 of these reported breaches of laptops and PEDs involved theft or loss. These breaches should not be occurring!

On August 24, 2009, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.  This Guidance identifies readily available safeguards—encryption processes and disposal methods—for securing PHI.  It is either through indifference to or neglect of implementing encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and their business associates that breach unsecured electronic PHI.  Those costs do not include costs borne by individuals impacted by breach, and costs related to loss of business and reputation and to required mitigation by the breaching party.

Covered entities and business associates must take greater responsibility to safeguard PHI, starting with more emphasis on training their workforce members who work with PHI.[2] The HITECH Act increased financial penalties for noncompliance from $100 for a single violation to $50,000, and the maximum for a repeat of a single violation in a calendar year from $25,000 to $1.5 million.  In addition, the HITECH Act provided for compliance audits[3] in addition to complaint investigations.  As a result, the likelihood of discovery of noncompliance and the financial consequences of such discovery—especially of willful neglect-not corrected—are raised considerably now under the Breach Notification Interim Final Rule for covered entities and business associates, and will be enhanced even further with simultaneous release of final HITECH Act privacy, security, and breach notification rules in 2011[4] that extend privacy and security obligations to business associates of covered entities and to sub-contractors of business associates.

Indicative of the forthcoming tightening of HIPAA and HITECH Act privacy and security enforcement is the commentary of OCR Director Georgina Verdugo in the News Release pertaining to the Resolution Agreement whereby Massachusetts General Hospital agreed to pay $1 million to settle Potential HIPAA Privacy Rule violations.[5] Note the following commentary:

“’We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement.  It is a covered entity’s responsibility to protect its patients’ health information.’ …  “’To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.’ … ‘A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.’” [emphasis added]

Ed Jones [20110318]

[1] As of the end of 2010, OCR had received more than 14,000 reports of smaller breach incidents (fewer than 500 impacted individuals).  See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[2] For example, “one-third of recently surveyed physician practices and 14 percent of surveyed hospitals do not conduct a regular security risk analysis of their electronic health information.”  See “Survey Details the Security Landscape,” HDM Breaking News, November 5, 2010.  The risk analysis is the foundation of preparing safeguard policies and procedures and initiating a meaningful training program for workforce members on “awareness and understanding” of and abiding by those policies and procedures.

[3] “OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, ‘is still working through what will give us the most bang for the buck,’  Greene said.  For example, it’s still weighing whether to audit a random sample of healthcare organizations or ‘going wider,’ he said.”  Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011. See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[4] Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011.  See Greg Gillespie, “OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs,” HDM Breaking News, February 21, 2011, which is available online here.

[5] See  HHS, “Massachusetts General Hospital Settles Potential HIPAA Violations,” news release, February 24, 2011, which is available online here.

The summary of the rule follows:

“This final rule establishes a permanent certification program for the purpose of certifying health information technology (HIT).  This final rule is issued pursuant to the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA), as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The permanent certification program will eventually replace the temporary certification program that was previously established by a final rule [published in the Federal Register on June 24, 2010, and available online.  The National Coordinator will use the permanent certification program to authorize organizations to certify electronic health record (EHR) technology, such as Complete EHRs and/or EHR Modules.  The permanent certification program could also be expanded to include the certification of other types of HIT."

Again referring to the HHS News Release referenced above, " [t]he permanent certification program provides new features that will enhance the certification of health information technology, including increasing the comprehensiveness, transparency, reliability, and efficiency of the current processes used for the certification of health information technology.  Meaningful use of ‘Certified EHR Technology’ is a core requirement for eligible health care providers who seek to qualify to receive incentive payments under the Medicare and Medicaid Electronic Health Record Incentive Programs as authorized by the [HITECH Act].”  Registration for eligible providers to receive incentive payments began on January 3, 2011, and Health Data Management reported on January 6, 2011, that two states–Kentucky and Oklahoma–had already begun issuance of incentive checks [www.healthdatamanagement.com].

For additional and updated information on EHR Certification and Meaningful Use, visit ONC’s Health IT Web site and the Centers for Medicare & Medicaid Services (CMS) Web site.   [20110107]

On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010.  On November 30, 2010, the Senate passed this legislation by unanimous consent.  The bill has been cleared to the White House for signature.

The following information from the Library of Congress summarizes S 3987 (see http://thomas.loc.gov):

“Amends the Fair Credit Reporting Act, with respect to federal agency (red flag) guidelines regarding identity theft and the users of consumer reports, to define creditor to mean one that regularly and in the ordinary course of business:  (1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnishes information to certain consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person, based on the person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.

“Includes in the definition any other type of creditor as the federal agency (banking agency, National Credit Union Administration, or the Federal Trade Commission) having authority over that creditor may determine appropriate, if the creditor offers or maintains accounts subject to a reasonably foreseeable risk of identity theft.

“Excludes from the definition of creditor, however, any creditor that advances funds on behalf of a person fro expenses incidental to a service the creditor provides to that person.”

Note:  Healthcare providers as Covered Entities under HIPAA Administrative Simplification, while exempt from FTC Red Flag identity theft detection and protection provisions under S 3987, are not exempt from HIPAA and HITECH Act privacy and security rule obligations to safeguard patient identity data elements that are protected health information (PHI) identifiers.

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial site locator, and presents the breach information in a different format than that on the initial site.)

As of today’s posting by OCR on its Website, there were 200 breaches involving 5,887,170 individuals that had been reported by covered entities. The dates of these breaches ranged from September 22, 2009 to October 17, 2010.  Thirty-nine of the reported breaches, or 20%, involved business associates. Excluding 10 reported breaches without sufficient detail, 141, or approximately 3 out of 4 reported breaches, involved electronic protected health information (PHI) and 51, or approximately 1 out of 4 reported breaches, involved hard copy formatted PHI.  Several reported breaches involved breaches of both electronic and hard copy formatted PHI.

With regard to type of breach, there were 23 of the 200 reported breaches without sufficient detail.  Of the remaining 177 reported breaches, 112, or just over 63%, involved theft and 31, or over 17%, involved loss. Together, theft and loss, or 143 reported breaches, accounted for over 80% of reported breaches involving 500 or more individuals.  Several of these reported breaches also  indicated a combination of causes.  Here we focus on breaches of electronic PHI.

Of the 141 reported breaches involving electronic PHI, 86, or 61%, involved laptops and portable electronic devices (PEDs), not otherwise identified.  All but 3 of these reported breaches of laptops and portable electronic devices involved theft or loss.

These breaches should not be occurring.  On August 24, 2010, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.  This guidance outlines valid encryption processes for securing PHI.  It is either through indifference to or neglect of implementing these encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and business associates that breach unsecured PHI.  That does not include the costs borne by individuals impacted by breach, or costs related to loss of business and reputation by the breaching party.  In addition to covered entities and business associates taking greater responsibility to safeguard PHI, OCR also must take a greater role in enforcement, namely, put more emphasis on privacy and security compliance and training of workforce members, and increase HITECH Act authorized compliance audits and imposition of substantially increased HITECH Act financial penalties for noncompliance with HIPAA Privacy and Security Rule provisions, especially for willful neglect.

Finally, as a reminder, the OCR Website only includes breaches affecting 500 or more individuals. Breaches of fewer than 500 affected individuals must be reported to OCR annually, so the number of totally affected individuals may be substantially higher than that already reported. [20101202]

“The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.”

You may follow developments with this Final Rule at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Web site, and HIPAA.com will bring you updates as well.

Stay tuned!

[20100730]

]]> http://www.hipaa.com/2010/07/hhs-pulls-breach-notification-file-rule/feed/ 0 http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/ http://www.hipaa.com/2010/07/ehr-incentive-and-certification-criteria-final-rules-published-in-federal-register/#comments Wed, 28 Jul 2010 16:41:10 +0000 Ed Jones http://www.hipaa.com/?p=2293 The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010.  HIPAA.com provides the title, summary, effective date, and URL for each below.

Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495;  Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588.

Summary:  This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs that adopt and successfully demonstrate meaningful use of certified electronic health record (EHR) technology. This final rule specifies–the initial criteria EPs, eligible hospitals, and CAHs must meet in order to qualify for an incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs, eligible hospitals and CAHs failing to demonstrate meaningful use of certified EHR technology; and other program participation requirements.  Also, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related final rule that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC has also issued a separate final rule on the establishment of certification programs for health information technology. [p.44314]

Effective Date:  September 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf.

Department of Health and Human Services, Office of the Secretary, “45 CFR Part 170; Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule,”  Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44589-44654.

Summary:  The Department of Health and Human Services (HHS) is issuing this final rule to complete the adoption of an initial set of standards, implementation specifications, and certification criteria, and to more closely align such standards, implementation specifications, and certification criteria with final meaningful use Stage 1 objectives and measures.  Adopted certification criteria establish the required capabilities and specify the related standards and implementation specifications that certified electronic health record (EHR) technology will need to include to, at a minimum, support the achievement of meaningful use Stage 1 eligible professionals, eligible hospitals, and/or critical access hospitals (hereafter, references to ‘eligible hospitals’ in this final rule shall mean ‘eligible hospitals and/or critical access hospitals’) under the Medicare and Medicaid EHR Incentive Programs. Complete EHRs and EHR Modules will be tested and certified according to adopted certification criteria to ensure that they have properly implemented adopted standards and implementations specifications and otherwise comply with the adopted certification criteria. [p. 44590]

Effective Date:  August 27, 2010

URL:  http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf.

These final rules follow on the June 24, 2010, publication in the Federal Register of ONC’s final rule:  Establishment of the Temporary Certification Program for Health Information Technology, with an effective date the same as the publication date.  HIPAA.com did a post on the Federal Register’s prepublication release of this rule on June 18, 2010.  [20100728]

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009. The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22. Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper)form and 75% in various electronic forms.

Of the 25 identified hard copy (paper) breaches, the largest category was “other,” which means that OCR either needs to require more detailed information on “what happened” of covered entities reporting breaches or to provide greater specificity regarding the category: Type of Breach, if covered entities provide such information.

Of the hard copy (paper) breaches providing information in that category, six involved theft, five unauthorized access, four improper disposal, four loss, and one incorrect mailing. Included in those totals are three compound types reported by covered entities: one theft/loss, one theft/unauthorized access, and one improper disposal/loss.

The OCR Web site that lists breaches is at: hhs.gov.

On Friday, July 2, 2010, OMB received from the Office of the Secretary at the Department of Health and Human Services (HHS) for review Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule.  The Interim Final Rule was issued on January 13, 2010, was effective February 12, 2010, and the public comment period ended on March 15, 2010.  From the Abstract:  ”The certification criteria adopted in this initial set establish the technical capabilities  and related standards that certified electronic health record (EHR) technology will need to include in support of the Medicare and Medicaid EHR Incentive Programs.”

On Monday, July 5, 2010, OMB received from HHS’ Center for Medicare & Medicaid Services (CMS) for review Electronic Health Record (EHR) Incentive Program; Final Rule. The Notice of Proposed Rulemaking (NPRM) was issued on January 13, 2010 (75 Federal Register 1843), and the public comment period ended on March 15, 2010.  From the Abstract:  ”The Medicare and Medicaid Health IT provisions in the American Recovery and Reinvestment Act of 2009 promote the adoption and meaningful use of certified electronic health records (EHRs).  The Recovery Act authorized incentive payments for eligible professionals (EPs) and hospitals participating in Medicare and Medicaid for becoming meaningful users of certified EHRs.  The law established maximum annual incentive amounts and includes Medicare penalties for failing to meaningfully use EHRs beginning in 2015, for professionals and hospitals that fail to adopt certified EHRs.”  This rule outlines statutory deadlines for the programs:

January 1, 2011:  Date can start incentive payments to EPs (Medicare)

October 1, 2010:  Date can start incentive payments to hospitals (Medicare)

The rule “[e]stablishes policies and procedures required before the incentive program can begin.  Additionally, supplemental payments are available in 2011 and 2012.  If eligible professionals and hospitals are not meaningful Electronic Health Record users by 2015, there will be a Medicare payment adjustment imposed.”

These two rules go together.  Because of upcoming deadlines, and the information contained therein relates to the Final Rule published in the Federal Register on June 24, 2010:  Establishment of the Temporary Certification Program for Health Information Technology; Final Rule (75 Federal Register 36157), it is likely that OMB will expedite review of the two referenced final rules and publication in the Federal Register will occur shortly thereafter.  (20100706)

Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:

13400:  Definitions

13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions

13402:  Notification in the Case of Breach

13403:  Education on Health Information Privacy

13404:  Application of Privacy Provisions and Penalties to Business Associates of Covered Entities

13405:  Restrictions on Certain Disclosures and Sales of Health Information; Accounting of Certain Protected Health Information Disclosures; Access to Certain Information in Electronic Format

13406:  Conditions on Certain Contacts as Part of Health Care Operations

13407:  Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

13408:  Business Associate Contracts Required for Certain Entities

13409:  Clarification of Application of Wrongful Disclosures Criminal Penalties

13410:  Improved Enforcement

These sections appear in Subtitle D (Privacy) on pp. 258-276 of Public Law 111-5, which is available for download on hipaa.com.  The NPRM represents enabling rules for referenced statutory provisions from within some or all of those sections.

The Abstract of the NPRM is:

“The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

In addition to the NPRM discussed above, OMB still has under review the Final Rule entitled:  HIPAA Administrative Simplification; Notification in the Case of Breach (RIN:  0991-AB56), which would replace the Interim Final Rule that was published in the Federal Register on August 24, 2009 (74 Federal Register 42739-42770).

The Abstract of the Final Rule is:

“The Department will issue final rules for HIPAA covered entities and business associates with respect to breach notification of unsecured protected health information as required by section 13402 of the [HITECH Act](Title XIII of the American Recovery and Reinvestment Act of 2009).”

(20100705)

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009.  The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22.  Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper) form and 75% in various electronic forms.  Of the electronic breaches, which included several in multiple electronic forms, 34 involved laptops, 15 desktops, 11 portable devices, 9 servers, and the remaining 11 miscellaneous forms (2 hard disks, 2 computers (not otherwise identified), 2 backup tapes, 2 electronic medical records (EMRs), 2 other (not identified), and 1 CD).

Of the 75 electronic breaches, 58, or 77%, involved theft, and 11, or 15%, involved unauthorized access, with 7 of those 11 also reported in association with theft.  There were six reported losses, or 8%, with 2 of those 6 also reported in association with theft.  There were four reported hacking incidents, or 5%, with 1 of those 4 also reported in association with unauthorized access.  Finally, there were 6, or 8%, defined as other, with 1 of those 6 also reported in association with theft.

Of the 34 breaches involving a laptop, 32, or 94% involved a theft, and the remaining 2 breaches, or 6%, involved a loss. Of the 11 breaches involving a portable device, 10, or 91%, involved a theft, with one, or 9%, a loss.  Whether a theft or loss, the evidence from the growing number of publicly reported breaches is that portable computers and devices must be encrypted to secure protected health information, in accordance with the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Federal Register 42742-42743) in order to avoid the growing costs to breaching entities of complying with provisions of the breach notification rule, reputational harms to those entities, and financial and inconvenience harms to affected individuals. [20100702]

The summary of the final rule is reproduced here:

“This final rule establishes a temporary certification program for the purposes of testing and certifying health information technology.  This final rule is established under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA), as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.”

The Medicare incentive program mentioned in the summary is expected to start in January 2011 and the Medicaid incentive program may start as early as the beginning of the fourth quarter of 2010, when the new federal fiscal year (FY  2011) starts.  (20100618)

“Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology. The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the National Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.” (75 Federal Register 11328) [emphasis added]

As the incentive programs for Medicare begin in 2011 and for Medicaid perhaps as early as the beginning of FY 2011 in October 2010, it is likely that the final rule relates to the temporary certification program as described in the bolded portion of the summary above.  (20100616)

On October 30, 2009, HHS published in the Federal Register the Interim Final Rule (IFR): HIPAA Administrative Simplification: Enforcement.[1] This IFR strengthened HIPAA enforcement of February 17, 2009-enacted HITECH Act penalty revisions, which were effective for violations beginning on February 18, 2009. The enforcement IFR was effective on November 30, 2009. This IFR followed by several months HHS Secretary Kathleen Sebelius’ delegation of enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR)[2], which had HIPAA Privacy Rule enforcement responsibilities since the April 14, 2003, compliance date for the Privacy Rule.

OCR’s unified enforcement of the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule and higher penalties increase the likelihood and severity of consequences of noncompliance with those rules, especially with the advent of compliance audits in addition of complaint investigations.

Before the February 17, 2009-enacted HITECH Act penalty revisions, civil penalties for HIPAA violations were $1000 for each violation or $25,000 for all violations of the same provision in a calendar year period. Under the HITECH Act, penalties are substantially increased and have been divided into four tiers, with a maximum of $1.5 million for all violations of an identical provision in a calendar year. The tiered Penalties now range as follows, for each violation:

• $100-$50,000 if the covered entity did not know an, by exercising reasonable diligence, would not have known, that it violated such provision.
• $1,000-$50,000 if the violation was due to reasonable cause and not to willful neglect.
• $10,000-$50,000 if the violation was due to willful neglect and was corrected “during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.”[3]
• $50,000 or more if the violation was due to willful neglect and was not corrected as required.

In announcing strengthened enforcement, OCR Director Georgina Verdugo said:

“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information…. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules… Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”[4]

Currently, there is at OMB for review as a Notice of Proposed Rulemaking (NPRM): Modifications to the HIPAA, Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act.[5] According to the Abstract: “The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D [Privacy] of the [HITECH Act].” After clearance at OMB, the NPRM will be published in the Federal Register. Be alert to NPRM modifications to privacy, security, and enforcement requirements, and the likelihood of relative quick—by HIPAA time standards—compliance dates for each through follow-on interim final rules.

Please visit the OCR Enforcement Web site for additional information now and updated information in the future.

[1] Department of Health and Human Services, Office of the Secretary, “45 CFR Part 160, HIPAA Administrative Simplification: Enforcement; Interim Final Rule,” Federal Register, v.74, n.209, October 30, 2009, pages 56123-56131. Citations to this document are in the format: 74 FR page(s). This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.

[2] OCR also is responsible for enforcement of the HITECH Act Breach Notification Rule. The delegation of enforcement of the HIPAA Security Rule was from the Centers for Medicare & Medicaid Services (CMS), which retains enforcement authority for the HIPAA Transaction and Code Set and Identifiers Rules. See Department of Health and Human Services, Office of the Secretary, “Office for Civil Rights; Delegation of Authority,” Federal Register, v.74, n.148, August 4, 2009, page 38630. This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/srdelegation.pdf.

[3] 74 Federal Register 56131.

[4] Department of Health and Human Services, “HHS Strengthens HIPAA Enforcement, “ news release, October 30, 2009, which is available online at: http://www.hhs.gov/news/press/2009pres/10/20091030a.html.

[5] This document, Regulation Identifier Number (RIN) 0991- AB57, was received at OMB on April 12, 2010, and attributes of this NPRM, but not its content, are available online at: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201004&RIN=0991-AB57.

“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the ‘Red Flags’ Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.  Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance….

“The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

The issue regarding the delays in FTC enforcement relates to “scope of entities covered by the Rule,” as indicated in the FTC news release.  Congress is taking action[2]:

“House lawmakers in October [2009] passed H.R. 3763[3], which would exclude from the Red Flags guidelines meaning of ‘creditor’ any healthcare, accounting, or legal practice with 20 or fewer employees, as well as any other business which the FTC determines knows all its customers or clients individually; only performs services in or around the residences of its customers; or hasn’t experienced incidents of ID theft, and identity theft is rare for businesses of that type.  An identical bill, S.3416 was introduced in the Senate on May 25 [2010].”

A lawsuit was filed in federal court on May 21, 2010, to accomplish a similar objective of narrowing scope of entities covered by the Rule.  “[T]he American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit in federal court  challenging the decision to classify physicians as ‘creditors’ because they allow patients to defer payments.  The medical groups also said the implementation of the Red Flags Rule could threaten doctor-patient relationships and negatively affect patient care (Sorrel, American Medical News, 5/31).”[4]

Please visit the FTC Red Flags Rule Web site: http://www.ftc.gov/redflagsrule or the American Medical Association (AMA) Web site: http://www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml for additional information. (20100603)

[2] Melissa Klein Aguilar, “Another Delay for FTC Red Flags Enforcement,” in Compliance Week, June 1, 2010, which is available online at: http://www.complianceweek.com/blog/aguilar/2010/06/01/once-again-ftc-delays-red-flags-enforcement/.

[3] The House passed H.R. 3763 by a vote of 400-0.

[4] California HealthCare Foundation, “FTC Delays Enforcement of ‘Red Flags Rule’ Until End of 2010,” iHealthBeat, June 1, 2010, which is available online at: http://www.ihealthbeat.org/articles/2010/6/1/ftc-delays-enforcement-of-red-flags-rule-until-end-of-2010.aspx.

This report comes several days after OCR’s release last Friday of its Draft Security Rule Guidance on Risk Analysis, the first in a series of guidances on security, that hipaa.com posted earlier today, and precedes the likely release later this month of the Notice of Proposed Rulemaking (NPRM):  Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, which is currently at the Office of Management and Budget (OMB) for review prior to publication in the Federal Register.

In addition, the renewed emphasis on HIPAA Security Rule compliance may be due in part to the growing number of posted “Breaches Affecting 500 or More Individuals” on the OCR Web site.

As of May 6, 2010, OCR had listed on this site 77 covered entities that had experienced such breaches, with the total number of affected individuals 2,430,167.  Of the total listed breaches, 63 involved covered entities only and 14, 0r 18%, involved a business associate in some manner.  Of the 72 reported breaches identifying whether paper or electronic protected health information (PHI) was involved, 18, or 25% involved paper and 54, or 75%, involved electronic media.  Forty-five of those 54 breaches, or just over 83%, were instances of theft or loss, most often laptop or other portable devices, highlighting the need for encrypting PHI to secure it on those electronic media according to NIST-validated standards identified in the August 24, 2009, HHS Guidance.  That Guidance was discussed in earlier hipaa.com postings and is available on this site .

With increased enforcement comes the need for greater attention paid to HIPAA Privacy and Security Rule compliance and training.  hipaa.com will announce new online HIPAA privacy and security training initiatives later this month.  You may register on hipaa.com to be notified of the training announcement.

This eight-page document is available online.

The Draft Guidance on Risk makes the following key points:

“The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization.  Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve….

“The risk analysis process should be ongoing.  In order for an entity to update and document its security measures ‘as needed,’ which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed….

“Risk analysis is the first step in an organization’s Security Rule compliance efforts.  Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.”

OCR requests public comment on the Draft Guidance on Risk Analysis, which can be sent to OCRPrivacy@hhs.gov.

On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010.  That is up from the 36 that OCR listed on its initial posting of the list on February 23, 2010.  The current list is available on the OCR Web site.

Clearly, more “awareness and understanding” training on security safeguards and privacy controls regarding use and disclosure of protected health information (PHI) is necessary.  Such training is required under the HIPAA Privacy and Security Rules and includes training regarding the new HITECH Act Breach Notification Rule requirements.

HIPAA.com will have announcements about such training in May, offerred through HIPAA School.  You may register on the hipaa.com site for email notification of further details about HIPAA School training, and for postings provided on hipaa.com.  (20100429)

“SUMMARY.  Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH ) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying health information technology.  While two certification  programs are described in this proposed rule, we anticipate issuing separate final rules for each of the programs.  The first proposal would establish a temporary certification program whereby the National Coordinator would authorize organizations to test and certify Complete EHRs and/or EHR Modules, thereby assuring the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments available under the Medicare and Medicaid EHR Incentives Program may begin demonstrating meaningful use of Certified EHR Technology.  The second proposal would establish a permanent certification program to replace the temporary certification program.  The permanent certification program would separate the responsibilities for performing testing and certification, introduce accreditation requirements, establish requirements for certification bodies authorized by the National Coordinator related to the surveillance of Certified EHR Technology, and would include the potential for certification bodies authorized by the national Coordinator to certify other types of health information technology besides Complete EHRs and EHR Modules.”

The Office of the National Coordinator for Health Information Technology requests written or electronic comments on the temporary certification program for receipt no later than 5 PM on April 9, 2010, and written or electronic comments on the permanent certification program no later than 5 PM on May 10, 2010.  Detailed instructions for submitting comments can be found on page 11328 of the NPRM referenced above.

Here are the appropriate authorities:

Section 13401 of Part 1 (Improved Privacy Provisions and Security Provisions) of Subtitle D (Privacy) of the HITECH Act (pp. 260): Application of Security Provisions and Penalties to Business Associates of Covered Entities

(a) Application of Security Provisions.  Sections 164.308 [Administrative Safeguards], 164.310 [Physical Safeguards], 164.312 [Technical Safeguards], and 164.316 [Policies and Procedures and Documentation Requirements] of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that related to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. [42 USC 17931]

(b) Application of Civil and Criminal Penalties.  In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provisions. [42 USC 17931]

NOTE:  Effective the day after of enactment of the HITECH Act (February 18, 2009), financial penalties were substantially increased for noncompliance with HIPAA standards, which cover policies, procedures, actions, assessments, and documentation requirements discovered during a compliance audit or complaint investigation.

Section 13423 of Part 2 (Relationship to Other Laws; Regulatory References; Effective Date; Reports) of Subtitle D (Privacy) of the HITECH Act (pp. 276):  Effective Date

Except as otherwise specifically provided, the provisions of part 1 shall take effect on the date that is 12 months after the date of the enactment of this title. [42 USC 17953]

Today marks the beginning of direct federal regulation of business associates’ compliance with the HIPAA Security Rule. [02/17/10]

Two weeks from today, on Wednesday, February 17, 2010, Business Associates of Covered Entities must comply with the HIPAA Security Rule.  For the first time Business Associates will be regulated by the federal government.  Section 13401 of Subtitle D (Privacy) of the HITECH Act (42 USC 17931) states that “[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” [Public Law 111-5, p.260]  In addition, penalties that apply to Covered Entities also will apply to Business Associates for noncompliance with the provisions of the Security Rule.

The next day, Thursday, February 18, 2010, a new restriction on disclosure of protected health information goes into effect that impacts Covered Entity health care providers.  According to Section 13405 of Subtitle D of the HITECH Act (42 USC 17935), a health care provider must honor a patient request to restrict disclosure of protected health information to a health plan for purposes other than carrying out treatment (namely, payment or health care operations) if the patient pays the health care provider out of pocket in full.

Finally, on Monday, February 22, 2010, enforcement of the Breach Notification Rule goes into effect for “failure to provide the required notifications for breaches” of unsecured protected health information discovered on or after the February 22 date.  [74 Federal Register 42757, August 24, 2009].  The Breach Notification Rule applies to Covered Entities and Business Associates, provides obligations for each regarding compilation and reporting of information pertaining to a breach by either party, and requires “incorporation [of those obligations] into the Business Associate Agreement between the Business Associate and the Covered Entity.” [42 USC 17934]

[02/03/2010]

42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions).

(a)  APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to a covered entity.  The additional requirements of this title that relate to security and that are applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.–In the case of a business associate that violates any security provision specified in subsection (a) [above], sections 1176 [General Penalty for Failure to Comply with Requirements and Standards] and 1177 [Wrongful Disclosure of Individually Identifiable Health Information] of the Social Security Act shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision….

42 USC 17953 (Section 13423:  EFFECTIVE DATE.  Except as otherwise specifically provided, the provisions of part 1 shall take effect on the data that is 12 months after the date of the enactment of this title [which was February 17, 2009].

If you are a covered entity, make sure that your business associates are aware to the upcoming Security Rule safeguards, policies and procedures, and documentation compliance provisions by February 17, 2010, and that your business associate agreement reflects this obligation. [01/18/2010]

“This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology.  The proposed rule would specify the initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements.  Also, as required by ARRA, the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule [75 FR 2013-2047] that specifies the Secretary’s adoption of an initial set of standards, implementation specifications, and certification criteria for electronic health records.  ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.” [01/13/10]  This NPRM is available online here.

“The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act.  This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use.  The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.”  This IFR is a consequence of HITECH Act provisions that were enacted on February 17, 2009, as part of the American Recovery and Reinvestment ACT.  [01/13/10]  The IFR is available online here.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Treatment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”

Use

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.”

Vendor of Personal Health Records

An entity, other than a covered entity (as defined), that offers or maintains a personal health record.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Secretary

Secretary of [U.S. Department of] Health and Human Services.

Security

Has the meaning given such term in section 164.304 of title 45, Code of Federal Regulations [CFR].

“Security or Security measures encompass all of the administrative, physical, and technical safeguards in an information system.”

State

Each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Payment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“(1) The activities undertaken by:

(i)             A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan;

or

(ii)            A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i)             Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii)            Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii)           Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv)            Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v)             Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi)            Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A)             Name and Address;

(B)             Date of birth’

(C)             Social Security number;

(D)             Payment history;

(E)             Account number; and

(F)             Name and address of the health care provider and/or health plan.”

Personal Health Record

An electronic record of PHR identifiable health information (as defined in section 13407(f)(2)[1] on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

Protected Health Information

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)             Transmitted by electronic media;

(ii)            Maintained in electronic media; or

(iii)           Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)             Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)            Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)           Employment records held by a covered entity in its role as employer.”

[1] PHR Identifiable Health Information “means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information—(A) that is provided or on behalf of the individual; and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”  [HITECH Act, p.156]

A Message from Dr. David Blumenthal, National Coordinator for Health Information Technology

Today the Obama administration announced the availability of $60 million in Recovery Act funds to support the development of the Strategic Health IT Advanced Research Projects (SHARP) program. SHARP awards will fund research focused on identifying technology solutions to address well-documented problems impeding broad adoption of health information technology (health IT). By helping to overcome key challenges, the research will also accelerate progress towards achieving nationwide meaningful use of health IT. 

As we continue this unprecedented effort towards meaningful use and seamless, secure information exchange, we also must acknowledge that there remains a gap between the promise of health IT and the realization of its full benefits. To achieve the goal of a transformed health care delivery system, it’s critical that we close this gap by enabling a robust research infrastructure that can focus on areas where “breakthrough” advances are needed to help clear obstacles to adoption. Under the SHARP program, four awardees will receive funding to develop multidisciplinary research projects that will identify such breakthrough solutions. 

SHARP program awardees will create research programs that draw from many areas of expertise.  They will focus on issues of central interest to all health IT stakeholders, fostering considerable discussion and debate.  If for example, SHARP research helped identify new methods to create tools that will, through their incorporation into deployed technology, enhance data security, then public trust in the electronic maintenance and exchange of health information would be reinforced and strengthened – which would in turn help encourage broader adoption. 

Areas requiring this innovative research approach that will be tackled by the SHARP awardees include the security of health IT, patient-centered cognitive support, application and network platform architectures, and the secondary use of EHR data as a way of measuring and improving quality of care. 

Another important aspect of the SHARP program is that the research projects will bring together key stakeholders – researchers, patient groups, health care providers, and others – to work with one another to transform health IT research into applications. This collaborative approach allows us to consider the many voices of health IT stakeholders, and work together towards common goals. With our eyes on the vision of patient-centered, quality health care we can focus research on innovative, pragmatic, and realistic solutions, which can then be implemented across the nation. 

I truly look forward to seeing the innovative research that emerges from this program. I know that this research will provide critical insights that will bring us closer every day to a better, more efficient health care delivery system, enabled by health IT and empowered by the seamless and secure exchange of electronic health information.

Sincerely,

David Blumenthal, M.D., M.P.P. National Coordinator for Health Information Technology 
U.S. Department of Health & Human Services

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Health Care Provider

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“A provider of services (as defined in section 1861(u) of the [Social Security] Act, 42 U.S.C. 1395x(u)), a provider of medial or health services (as defined in section 1861(s) of the [Social Security] Act, 42 U.S.C. 1395x(s), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”

Health Plan

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS [Public Health Service] Act, 42 U.S.C. 300gg-91(a)(2).

(1) Health plan includes the following, singly or in combination:

(i)            A group health plan, as defined in this section.

(ii)          A health insurance issuer, as defined in this section.

(iii)         An HMO, as defined in this section.

(iv)         Part A or Part B of the Medicare program under title XVIII of the Act.

(v)          The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et.seq.

(vi)         An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).

(vii)       An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.

(viii)      An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(ix)         The health care program for active military personnel under title 10 of the United States Code.

(x)          The veterans health care program under 38 U.S.C. chapter 17.

(xi)         The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).

(xii)       The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et.seq.

(xiii)      The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et.seq.

(xiv)      An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et.seq.

(xv)       The Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.

(xvi)      A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.

(xvii)    Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(2) Health Plan excludes:

(i)            Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and

(ii)          A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):

A.  Whose principal purpose is other than providing, or paying the cost of, health care; or

B.  Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.”

National Coordinator

The head of the Office of the national Coordinator for Health Information Technology established under section 3001(a) of the Public Health Service Act, as added by section 13101.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Disclose

The terms ‘disclose’ and ‘disclosure’ have the meaning given the term ‘disclosure’ in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.”

Electronic Health Record

An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

Health Care Operations

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g)[1] are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of § 164.514,[2] creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.”

[1] “(g) Standard:  Uses and disclosures for underwriting and related purposes.  If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may not use of disclose such protected health information for any other purpose, except, as may be required by law.”

[2] “Other requirements relating to uses and disclosures of protected health information.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-12/feed/ 0 http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/ http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/#comments Tue, 08 Dec 2009 15:10:56 +0000 Ed Jones http://www.hipaa.com/?p=2017 From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Breach

(A) In General—The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions—The term ‘breach’ does not include—

1. Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if—
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
   2. Such information is not further acquired, accessed, used, or disclosed by an person; or
2. Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
3. Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

[Note:  The definition of 'breach' in the enabling regulation is different in several respects from the statutory definition above, including introduction of consideration of risk of harm to the individual:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [Privacy of Individually Identifiable Health Information] of this part [45 CFR 164:  Security and Privacy] which compromises the security or privacy of the protected health information.

(1)(i) For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

(ii) A use or disclosure of protected health information that does not include the identifiers listed at § 164.514(e)(2) [Implementation Specification for the Limited Data Set standard], date of birth, and zip code does not compromise the security or privacy of the protected health information.

(2) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

See Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160 and 164–Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” Federal Register, v. 74, n. 162, August 24, 2009, pp.42767-42768.]

Business Associate

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

1. On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
   1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
   2. Any other function or activity regulated by this subchapter; or
   3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.”

Covered Entity

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”

]]> http://www.hipaa.com/2009/12/exploring-hipaa-and-hitech-act-definitions-part-11/feed/ 0 http://www.hipaa.com/2009/12/six-primary-goals-of-the-hitech-breach-notification-requirement/ http://www.hipaa.com/2009/12/six-primary-goals-of-the-hitech-breach-notification-requirement/#comments Wed, 02 Dec 2009 15:00:45 +0000 Alex Zaltsman http://www.hipaa.com/?p=2045 The first part of the HITECH Act is called “Improved Privacy Provisions and Security Provisions”. Section 13402 is the section that starts the discussion of privacy and security and is titled “Notification in case of breach”. This section accomplishes the following:

1. Identifies who this section applies to: Covered Entities and Business Associates.
2. Defines the time frame as to when breaches should be reported to individuals, and depending on severity, mass media, and the Department of Health and Human Services (HHS).
3. The type of information that must appear in the notification letters.
4. Definition of Unsecured Protected Health Information. Note that the HITECH Act delegated the final definition to the HHS vis a vis a “guidance”. The guidance was issued on 4/27/2009 in the Federal Register.
5. Requires HHS to report to Congress no later than 12 months after the date of enactment the nature of the breaches that occurred.
6. Time period of when the final regulations go into effect.

Section 13402 of the HITECH Act sets a very important precedent and provides notice to the healthcare industry that the Federal government is serious about securing health records. Another purpose of the HITECH Act is to incentivize healthcare providers to move from paper to electronic records. Confidence in the security of those electronic records is crucial to the adoption of electronic health records and in general, is good public policy.

It should be noted that Congress essentially delegated the details of how the breach notification law is to be executed (know as a rule)  to HHS. In August, 2009 HHS issued the interim final rule on breach notification and the rule went into effect in September, 2009. However, enforcement will not officially start until February, 2010, although HHS reserves the right to enforce the rules prior to February, 2010 as it sees fit.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Qualified Electronic Health Record

An electronic record of health-related information on an individual that—

(A) Includes patient demographic and clinical health information, such as medical history and problem lists; and

(B) Has the capacity—

1. To provide clinical decision support;
2. To support physician order entry;
3. To capture and query information relevant to health care quality; and
4. To exchange electronic health information with, and integrate such information from other sources.

State

Each of the several states, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Laboratory

Has the meaning given such term in section 353(a).

National Coordinator

The head of the Office of the National Coordinator for Health Information Technology established under section 3001(a).

Pharmacist

Has the meaning given such term in section 804(2) of the Federal Food, Drug, and Cosmetic Act.

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

HIT Policy Committee

Such Committee established under section 3002(a).[1]

HIT Standards Committee

Such Committee established under section 3003(a).[2]

Individually Identifiable Health Information

Has the meaning given such term in section 1171(6) of the Social Security Act:

“Any information, including demographic information collected from an individual, that—

(A) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

1. Identifies the individual; or
2. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

[1] HIT Policy Committee (Establishment).
[2] HIT Standards Committee (Establishment).

Exploring HIPAA and HITECH Act Definitions:  Parts 6-10, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.228-229),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle A—Promotion of Health Information Technology,

Section 13101—ONCHIT [Office of the National Coordinator for Health Information Technology]; Standards Development and Adoption,

Title XXX—Health Information Technology and Quality,

Section 3000—Definitions (also designated as 42 USC 300jj).

Health Information

Has the meaning given such term in section 1171(4) of the Social Security Act:

“Any information, whether oral or recorded in any form or medium, that—

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

Health Information Technology

Hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.

Health Plan

Has the meaning given such term in section 1171(5) of the Social Security Act:

“An individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 2791 of the Public Health Service Act.)  Such term includes the following, and any combination thereof:

(A) A group health plan (as defined in section 2791(a) of the Public Health Service Act), but only if the plan—

1. Has 50 or more participants (as defined in section 3(7) of the Employee Retirement Income Security Act of 1974); or
2. Is administered by an entity other than the employer who established and maintains the plan.

(B) A health insurance issuer (as defined in section 2791(b) of the Public Health Service Act).

(C) A health maintenance organization (as defined in section 2791(b) of the Public Health Service Act).

(D) Part A, B, or C of the Medicare program under title XVIII.

(E) The Medicaid program under title XIX.

(F) A Medicare supplemental policy (as defined in section 1882(g)(1)).

(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary [of HHS] determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

(I)  The health care program for active military personnel under title 10, United States Code.

(J)  The veterans health care program under chapter 17 of title 38, United States Code.

(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.

(L)  The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5, United State Code.”

As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates.  First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives. The lesson seems clear: train on HITECH and re-train on existing HIPAA rules–or pay some new and onerous penalties for workforce mistakes.

Here are three hard truths about the HITECH amendments. First, after HITECH, penalties for each violation of HIPAA can now exceed civil penalties for violating the anti-kickback statute. Second, HITECH mandates much more enforcement by HHS, including compliance audits, and allows enforcement by state Attorneys General. Third, under the recently adopted breach notification rules, covered entities are required to submit annually logs of protected health information (PHI) breaches to the Secretary of HHS. Because by definition each of those reported “breaches” involves a violation of the Privacy Rule, covered entities also will be informing the Secretary of their Privacy Rule violations. You won’t have to worry about possible whistleblowers; you are the whistleblower.

One major piece of good news in HITECH is that Congress provided that unless a violation is caused by willful neglect, penalties for the violation may be avoided by taking corrective action within 30 days. This is where training comes in, and where training pays off. A vigorous training program enables the workforce of a covered entity to identify violations quickly because the workforce knows what are proper PHI uses and disclosures and what are not. For example, if workforce members do not understand the concept of “minimum necessary”, they will not know that sending an entire medical record to a third party payer is highly likely to violate the Privacy Rule. If workforce members know what is the “minimum necessary” disclosure, they will either avoid an improper disclosure or move to correct it within the thirty-day corrective action grace period.

As with so many other areas of HIPAA, HITECH introduces many new concepts. New regulations have been published on unsecured breaches and more regulations are coming on privacy, security, and enforcement. Making these rules comprehensible to your workforce members (including management) and applicable to your environment requires training—and some re-training on the existing HIPAA Privacy and Security rules and how they all fit together.