Uncategorized

ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

David HarlowThe federales announced a new set of HIPAA regulations today (to be published in the Federal Register on July 14) in a press conference featuring Kathleen Sebelius (HHS Secretary), Georgina Verdugo (HHS OCR Director) and David Blumenthal (ONC Director).  The HIPAA changes are essentially mandated by the HITECH Act.  From the HHS presser:

The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

  • expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans;
  • requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
  • setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  • prohibiting the sale of protected health information without patient authorization.

Two new websites were announced as well.  One is a beefed-up version of the HIPAA data breach notification wall of shame, and the other is a new HHS privacy website directed at the general public, now up at hhs.gov/healthprivacy.

This website, a joint statement from ONC and OCR posted today, and the tenor of the federales’ remarks today indicate a deep concern about public perceptions concerning privacy and security of protected health information — sort of a “what if we throw a party and nobody comes?” vibe.

This was magnified at today’s press conference by comments about maintaining individual patient control over the use and dissemination of protected health information — the proposed rule includes a revised definition of marketing (in the context of using PHI for marketing purposes), and it was interesting to hear how concerns about privacy and marketing were presented (and received, e.g. by the first questioner, patient privacy advocate Deborah Peel).  In addition, the HHS listening session road show will kick into gear on this issue because they “want these policies to have the support of the American people.”

The meaningful use final rule (which Blumenthal said today would be out “very shortly” and will include additional health care provider data security requirements), and all those HITECH Act incentive dollars and, most importantly, all that highly-anticipated, interoperable-HIT-generated, health care improvement goodness, all depend on patient acceptance of the use of EHRs, so the concern for protection of patient privacy and security is well-placed.  It remains to be seen whether the general public is prepared to trust the medical-industrial complex in this way, and whether the medical-industrial complex will be able to either meet the high bar for meaningful use set in the proposed rule, or bend the federales to its will.

Finally, another couple of important nuggets from the NPRM:

  • Business Associates get virtually full Covered Entity treatment in the proposed rule, including exposure to the up-to-$1.5m fines … and subcontractors of business associates are reached by the long arm of the law, too.
  • Compliance dates for most of the new rules will be 180 days from publication of this rule as a final rule.  We get a year to put all of our business associate agreements in order.
  • A handful of changes not specifically required by the HITECH Act are thrown in — one example is the inclusion of “reputational harm” in addition to physical or financial harm as potentially aggravating factors in determining the amount of a fine.

I invite all readers to take a look at the NPRM, examine key issues of concern to them, and post observations, comments and questions here — and at regulations.gov once the comment period opens next week.

Livongo’s Post Ad Banner 728*90

Categories: Uncategorized

10
Leave a Reply

10 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
ciphertextPatJack AndersonJacques MehaufDr. Seker Recent comment authors
newest oldest most voted
David Harlow
Guest

@ciphertext — Yes, EHRs make both use and misuse easier. The government has decided that ease of use, and attendant expected improvements in health care, health outcomes and efficiencies outweigh potentially easier misuse (which the government is trying to make harder, through this proposed rule, among others). Many have argued the point on this blog and elsewhere, one way and the other. The law is already well-settled that the patient “owns” the data. Problem is, the provider “owns” the record and has – and needs – physical (or electronic) control in order to use it for the benefit of the… Read more »

David Harlow
Guest

Here is the official version of the proposed HIPAA rule amendments on privacy, security and enforcement, from today’s Federal Register:
http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf

ciphertext
Guest
ciphertext

In an increasingly “connected” society, especially one in which personal (and non-personal) information is stored as digital data (think 0’s and 1’s); that can be copied and duplicated with exacting precision (unlike the degradation of paper copies during the copying process); and can be further communicated at near the speed of light; privacy will no longer be tenable. Previously, data was “silo’d” at physicians offices, hospital complexes, personal residences. It wasn’t easily accessible, as it required lengthy processes for transmittal (mail, courier, personal delivery, etc…) and a single instance of the information (i.e. “the document”) was viewable by a single… Read more »

Pat
Guest
Pat

I’m sick because of this HIPAA crap. My Mom is in PCU and those SOBs there won’t give me any info on her. They tell me that my brother is on some proxy, but I don’t know how that even happened. I went through this not long ago with a good friend who had no family. If Mom’s life is in danger, I want to know about it and be there. Now I can’t be until 9am!

Jack Anderson
Guest

Another important point on pages 163-164 HHS states that HHS expects folks who have signed business associate agreements to live up to their promises, ie have policies and procedures in place, etc. So the other deadlines are moot, if you have signed an agreement you must be compliant, now.

Jacques Mehauf
Guest
Jacques Mehauf

the default must be: “DO NOT DISCLOSE, DO NOT ACCESSS”++++ EVER!!!

Dr. Seker
Guest
Dr. Seker

Pronouncements about privacy are not worth the space they take up on the hard drive.
Data is being stolen , lost and usurped all of the time, facilitated by clinically disruptive HIT. What good is this crap? Even the Leapfrog Group has awakened that they are liable for their flawed and negligent recommendations coercing hosptials to buy CPOE devices.

David Harlow
Guest

@BobbyG – Haven’t had a probelem with it, but I’ve posted another copy of the NPRM here: http://j.mp/ci425X

William Stetson
Guest

Recombinant Data Corp. is hosting a webinar on July 21, 2010 on HIPAA and IRB best practices for research repositories that will include a discussion about the proposed amendment and how it will affect research. For more information about the webinar, visit http://www.recomdata.com/newsletter/HIPAA_IRB_Webinar.html

BobbyG
Guest

This link
http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf
Has been bad since yesterday.