A Wisconsin woman who was fired in September 2008 for accessing her estranged son’s medical records was reinstated last month after an arbitrator deemed the punishment excessive.

After learning her son sought care at the hospital, the woman, a health unit coordinator at St. Francis Hospital for 30 years, accessed his records eight times in one year in hopes of learning his current address or when he was next scheduled for an appointment. The mother acknowledged that her actions were inappropriate, but said she accessed her son’s records to find out whether he was okay after one of his friends was murdered in 2007.

The woman was unable to contact her son because his medical records listed her residence as his home address and listed no appointments. However, after someone saw her son enter a residence, the woman sent him a birthday card to that address. The son, who is in his mid-20s, then filed a complaint with the hospital alleging she must have gotten the address through his confidential medical records, which prompted the investigation and her firing. (more…)

Yesterday HHS published its breach notification rule for HIPAA covered entities. Today the Federal Trade Commission’s rule appeared in print, making it official also. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010.

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address. (more…)

Last week the industry got an early look at the Department of Health and Human Service’s much-anticipated data breach notification rule. Today the rule was published in the Federal Register, making it official. The rule takes effect September 23, 2009.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.
(more…)

Update, September 2: HHS has posted new and revised program materials online: a transcript of its August 27 technical assistance conference, an FAQ, and a revised preliminary application template.

The first applications from aspiring health IT resource centers are due in two weeks—September 8. The Office of the National Coordinator for Health Information Technology will award grants in two additional cycles with initial deadlines in December and June. ONC announced the deadlines in a press event last week.

Program details and the full application schedule appears in the funding opportunity announcement on the Health and Human Services health IT Web site. Applications will be screened in two phases. Successful preliminary applicants will be requested to submit a full application for merit review.

  (more…)

A flurry of ARRA-related activity this week, in part driven by some August 18 deadlines for the data breach notification provisions.

The Federal Trade Commission and the Department of Health and Human Services both have final breach notification rules in hand, though neither has been published in the Federal Register. Publication is expected in the coming days, possibly as soon as tomorrow.

The HHS regulations apply to covered entities under HIPAA. The FTC rule addresses noncovered entities, in particular, vendors of personal health records.

Both rules stick close to the programs as described in ARRA. In time FTC is expected to turn over its responsibilities to HHS, but until then the industry will have to navigate both regulations. (Look for full analysis once the rules are published

HHS had a second deadline this week to issue final guidance on securing protected health information. The guidance relates to the data breach regulations, specifying the methods that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. HHS issued a proposed rule in April, with final guidance to come. (more…)

The Agency for Healthcare Research and Quality will publish grant and contract solicitations for comparative effectiveness research in the fall, according to a notice in today’s Federal Register. AHRQ has $300 million appropriated through the American Recovery and Reinvestment Act to support of such research.

The ARRA funding will focus initially on 14 priority conditions established by Health and Human Services under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, according to the notice.

Since 2005 AHRQ has focused its CER efforts through the  Effective Health Care Program, which was authorized under the Medicare Prescription Drug, Improvement, and Modernization Act. The program provides “systematic reviews and develops other translational information and tools designed to inform health care decision making,” according to AHRQ, and “advances the methodology of [CER] and provides training grants to enhance the pool of researchers who can perform CER.”

Funding will begin in spring 2010. The solicitations will be published in the NIH Guide for Grants and Contracts.

A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process. (more…)

In the August print issue, Journal writer Chris Dimick describes the challenges California healthcare organizations face in determining their responsibilities under tough new state law on health data breach notification and even newer federal law created by ARRA.

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.
(more…)

The August 2009 cover story focuses on assessing physician practice readiness for electronic health records. Other features report on what physicians need to do to prepare for the transition to ICD-10-CM/PCS, how to make denials management a part of a practice’s daily work, the fundamentals for rapidly implementing an EHR, and how California healthcare facilities are faring under its new privacy breach laws. (more…)