California Governor Arnold Schwarzenegger vetoed a state legislature bill on October 11 that would have specified content requirements for privacy breach notifications.

California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers. (more…)

The Department of Health and Human Services announced awards totaling $27.8 million to health center networks and large multi-site health centers to implement health IT.

The funds are part of the $2 billion allotted to HHS’s Health Resources and Services Administration (HRSA) under the American Recovery and Reinvestment Act to expand healthcare services to low-income and uninsured individuals.

The $27.8 million will be used to expand and upgrade health IT systems, including electronic health records, and are related to other ARRA efforts to promote the adoption and use of health IT throughout healthcare.

Eighteen grants totaling more than $22.6 million will support EHR implementations. Grants totaling more than $2.6 million will help four grantees implement other health IT-related projects, including creation of health information exchange networks. Another five grants totaling more than $2.5 million will help health centers use existing EHRs to improve patient health outcomes.

HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance, according to HHS.

A list of grant recipients is available through the above link. More on ARRA provisions for community health centers is available through the HHS.gov/Recovery site.

For healthcare providers seeking to participate in the federal government’s “meaningful use” incentive program, the barrier of entry may be lowering.

David Hunt, MD, chief medical officer at the Office of the National Coordinator for Health IT, indicated that criteria in the program’s first phase will focus on getting providers to purchase and begin using electronic health record systems. Hunt spoke at Health Data Management’s Health IT Stimulus Summit in Boston yesterday.

“You have to be able to send data, and [the Centers for Medicare and Medicaid Services] has to be able to receive it,” Hunt said, quoted in Health Data Management. “The big thing for 2011 is that you actually acquire this equipment and start using it.”

Hunt did not comment directly on what this meant for the criteria proposed by the Health IT Policy Committee this past summer. He noted that officials are collecting a “‘tremendous amount’ of information from many sources.”

The “meaningful use” program will provide Medicare or Medicaid bonuses to hospitals and physicians that become “meaningful” users of EHRs. Payments begin in 2011, leading many in the industry to question how ambitious the initial set of criteria can afford to be, given the low use of EHRs currently.

The program, specified in the HITECH section of the American Recovery and Reinvestment Act, leaves the details up to the Department of Health and Human Services. The Office of the National Coordinator, part of HHS, has been facilitating the process.

A proposed rule on the program is expected in December. The notice will include 60 days for public comment.

Yesterday HHS published its breach notification rule for HIPAA covered entities. Today the Federal Trade Commission’s rule appeared in print, making it official also. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010.

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address. (more…)

Last week the industry got an early look at the Department of Health and Human Service’s much-anticipated data breach notification rule. Today the rule was published in the Federal Register, making it official. The rule takes effect September 23, 2009.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.
(more…)

Update, September 2: HHS has posted new and revised program materials online: a transcript of its August 27 technical assistance conference, an FAQ, and a revised preliminary application template.

The first applications from aspiring health IT resource centers are due in two weeks—September 8. The Office of the National Coordinator for Health Information Technology will award grants in two additional cycles with initial deadlines in December and June. ONC announced the deadlines in a press event last week.

Program details and the full application schedule appears in the funding opportunity announcement on the Health and Human Services health IT Web site. Applications will be screened in two phases. Successful preliminary applicants will be requested to submit a full application for merit review.

  (more…)

A flurry of ARRA-related activity this week, in part driven by some August 18 deadlines for the data breach notification provisions.

The Federal Trade Commission and the Department of Health and Human Services both have final breach notification rules in hand, though neither has been published in the Federal Register. Publication is expected in the coming days, possibly as soon as tomorrow.

The HHS regulations apply to covered entities under HIPAA. The FTC rule addresses noncovered entities, in particular, vendors of personal health records.

Both rules stick close to the programs as described in ARRA. In time FTC is expected to turn over its responsibilities to HHS, but until then the industry will have to navigate both regulations. (Look for full analysis once the rules are published

HHS had a second deadline this week to issue final guidance on securing protected health information. The guidance relates to the data breach regulations, specifying the methods that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. HHS issued a proposed rule in April, with final guidance to come. (more…)

The Agency for Healthcare Research and Quality will publish grant and contract solicitations for comparative effectiveness research in the fall, according to a notice in today’s Federal Register. AHRQ has $300 million appropriated through the American Recovery and Reinvestment Act to support of such research.

The ARRA funding will focus initially on 14 priority conditions established by Health and Human Services under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, according to the notice.

Since 2005 AHRQ has focused its CER efforts through the  Effective Health Care Program, which was authorized under the Medicare Prescription Drug, Improvement, and Modernization Act. The program provides “systematic reviews and develops other translational information and tools designed to inform health care decision making,” according to AHRQ, and “advances the methodology of [CER] and provides training grants to enhance the pool of researchers who can perform CER.”

Funding will begin in spring 2010. The solicitations will be published in the NIH Guide for Grants and Contracts.

In the August print issue, Journal writer Chris Dimick describes the challenges California healthcare organizations face in determining their responsibilities under tough new state law on health data breach notification and even newer federal law created by ARRA.

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.
(more…)

The Department of Labor announced $125 million in funding for projects that train workers to pursue careers in healthcare. The department’s Employment and Training Administration (ETA) has requested proposals to spend it, due October 5.

The funding is part of $220 million appropriated by ARRA, the American Recovery and Reinvestment Act, to train workers for employment in high-growth and emerging industry sectors. The request for grant applications appeared in the July 22, 2009, issue of the Federal Register.

ETA expects to fund 45 to 65 grants ranging from approximately $2 to $5 million. The period of grant performance will be up to 36 months. (more…)