California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers.

The veto does not dramatically affect state healthcare organizations, which beginning September 23 must meet similar requirements under federal breach notification laws. The federal laws require companies that handle personal health information to include specific information in breach notification letters, including date of the incident and the personal information breached.

However, the federal provisions—part of the American Recovery and Reinvestment Act’s HITECH section—only cover healthcare businesses, leaving California organizations such as banks and educational institutions open to include as much or as little information in their breach notifications as they deem appropriate.

Veto “Surprising”

Senate bill 20 was proposed by state senator Joe Simitian, who said it was necessary to ensure that victims receive the information they need to understand the problem and protect themselves from harm.

“This is one of the most surprising vetoes I’ve gotten while I’ve been here, over nine years,” Simitian said.

The bill had moved through the state legislature with strong support.

Simitian acknowledged that the majority of the notices that go out to consumers do contain adequate, helpful information. However, he said there have been instances of vague and meaningless breach notifications.

A survey of data breach victims included in a 2007 University of California-Berkeley School of Law paper found that 28 percent of those receiving a breach notification did not understand the “potential consequences of the breach after reading the letter.” Simitian cited this study as well as personal conversations with confused breach notification recipients to explain why legislation is needed.

The proposed additions to California’s privacy law would not break new ground. Several states have added similar breach notice requirements to their privacy laws, Simitian said. Setting notification requirements could also benefit businesses by spelling out their responsibilities. Having clear-cut requirements saves businesses from guessing at what they should do to be compliant.

While he feels the breach notification content requirements were not necessarily a bad idea, California-based healthcare attorney Reece Hirsch said he can understand why the bill was vetoed. Hirsch, a partner with Morgan Lewis’s FDA/Healthcare regulation practice, has helped clients draft many breach notifications. The breach notification requirements proposed in the bill are considered best practices in the field and already followed, he noted.

“Most companies responding to a security breach under the existing law would typically include the elements that are stated in senate bill 20,” Hirsch said. “Certainly there are consumer groups who have felt that these notices are maybe confusing, not as forthcoming as they should be.

“But by and large I am not sure that the elements that were specified in senate bill 20 would really affect a real change in the sorts of notices that consumers are seeing under the current California law.”

No Copy for the Attorney General

Senate bill 20 also called on businesses to send a copy of their breach notifications to the California attorney general if the breach affected more than 500 people. The provision was included to give law enforcement and the legislature a way to track privacy breaches across industries and identify trends, Simitian said.

In his veto message, Schwarzenegger wrote there was “no additional consumer benefit” to the provision because the bill does not require the attorney general to do anything with the notices.

“I thought there was a little irony in the veto message suggesting that we didn’t have evidence of the nature of the problem, and then going on to say ‘and by the way, why on earth would you want to have a place where there is a repository of this information,’” Simitian said.

Under state law that took effect January 1 of this year, healthcare organizations are already required to report breaches of any size to the California Department of Public Health, Center for Health Care Quality, which has power to investigate and fine organizations.

However, sending a breach notice directly to the attorney general could have increased an organization’s chance of being prosecuted, Hirsch noted. The federal breach notification provisions give attorneys general the power to enforce privacy protections and take enforcement action against healthcare organizations that have experienced a breach of protected health information.

Though the bill was vetoed, Simitian said he will have conversations with the California governor’s office on how to get the bill passed. He plans to reintroduce the legislation next year.

The Federal Content Requirements

Two federal laws govern breach notification. A rule promulgated by the Department of Health and Human Services governs HIPAA covered entities; a rule published by the Federal Trade Commission applies to noncovered entities such as personal health record vendors.

The rule governing covered entities spells out that breach notifications must:

• Be written in plain language
• Describe what happened, including the date of breach and discovery (if known)
• Describe the types of unsecured personal information involved in the breach
• Provide steps individuals should take to protect themselves
• Give a brief description of what the healthcare organization is doing to investigate, mitigate harm, and protect against further breaches
• Describe contact procedures for patient questions, including a toll-free telephone number

The rule currently exists as an interim final rule, meaning that it could be modified based on public comments. The comment period ends this Friday, October 23. The FTC law governing noncovered entities has similar content requirements, though it provides less detail.

The California bill would have required businesses to include two items in addition to what the federal laws specify:

• Contact information for credit reporting agencies
• A statement describing whether there was a delay in notification because of law enforcement investigations

The funds are part of the $2 billion allotted to HHS’s Health Resources and Services Administration (HRSA) under the American Recovery and Reinvestment Act to expand healthcare services to low-income and uninsured individuals.

The $27.8 million will be used to expand and upgrade health IT systems, including electronic health records, and are related to other ARRA efforts to promote the adoption and use of health IT throughout healthcare.

Eighteen grants totaling more than $22.6 million will support EHR implementations. Grants totaling more than $2.6 million will help four grantees implement other health IT-related projects, including creation of health information exchange networks. Another five grants totaling more than $2.5 million will help health centers use existing EHRs to improve patient health outcomes.

HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance, according to HHS.

A list of grant recipients is available through the above link. More on ARRA provisions for community health centers is available through the HHS.gov/Recovery site.

David Hunt, MD, chief medical officer at the Office of the National Coordinator for Health IT, indicated that criteria in the program’s first phase will focus on getting providers to purchase and begin using electronic health record systems. Hunt spoke at Health Data Management’s Health IT Stimulus Summit in Boston yesterday.

“You have to be able to send data, and [the Centers for Medicare and Medicaid Services] has to be able to receive it,” Hunt said, quoted in Health Data Management. “The big thing for 2011 is that you actually acquire this equipment and start using it.”

Hunt did not comment directly on what this meant for the criteria proposed by the Health IT Policy Committee this past summer. He noted that officials are collecting a “‘tremendous amount’ of information from many sources.”

The “meaningful use” program will provide Medicare or Medicaid bonuses to hospitals and physicians that become “meaningful” users of EHRs. Payments begin in 2011, leading many in the industry to question how ambitious the initial set of criteria can afford to be, given the low use of EHRs currently.

The program, specified in the HITECH section of the American Recovery and Reinvestment Act, leaves the details up to the Department of Health and Human Services. The Office of the National Coordinator, part of HHS, has been facilitating the process.

A proposed rule on the program is expected in December. The notice will include 60 days for public comment.

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address.

Entities must notify the FTC, also. They must report breaches involving more than 500 people within 10 business days of discovery. This doubled the amount of time in the proposed rule. Commenters expressed concern that 5 days may not be enough time to properly investigate the incident prior to reporting it. That change may get attention in California, where state law requires healthcare entities to notify both consumers and the state of breaches within 5 days.

The final page of the Federal Register notice includes a form that PHR vendors may use to file breach reports.

The FTC rule does not apply to HIPAA-covered entities or to “any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” However, there could be instances where a company serves as both a business associates of a HIPAA-covered entity and a vendor of PHRs to the public. That entity could be subject to both the HHS and FTC. The final rule provides several examples.

The Definitions

The rule defines a PHR as an “electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The rule offers further definition of what information constitutes PHR identifiable health information.

Paper PHRs are not covered by the rule, because ARRA legislation specified a rule on electronic records only.

FTC defines a ‘‘PHR related entity’’ as an entity that “(1) offers products or services through the Web site of a vendor of personal health records; (2) offers products or services through the Web sites of HIPAA-covered entities that offer individuals PHRs; or (3) accesses information in a personal health record or sends information to a personal health record.”

The final rule adopts the definition of breach provided in the proposed rule: “the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual.”

Preemption

Preemption of state law does apply, with FTC clarifying that the final rule preempts only contrary state laws.

A state law is contrary if it would be impossible to comply with both state and federal requirements or if the state law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives’’ of the federal requirements.

The rule does not preempt state laws imposing additional—as opposed to contradictory—breach notification requirements.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.

Dust off the Business Associate Agreements

Under the rule, business associates must notify covered entities of breaches they discover no later than 60 days following their discovery. The covered entity is responsible for notifying the affected individuals.

If the business associate is acting as an agent of the covered entity, then the business associate’s discovery of the breach will be imputed to the covered entity. The covered entity must provide breach notifications based on the time the business associate discovered the breach, not from the time the business associate informed the covered entity.

However, if the business associate is an independent contractor of the covered entity, then the covered entity must provide notification based on the time the business associate notified it of the breach. HHS notes that “covered entities may wish to address the timing of the notification in their business associate contracts.”

Final, yet Interim

In order to (almost) meet its ARRA-imposed deadline, HHS issued an interim final rule, meaning that modifications may still come. In effect, entities must prepare to comply with the law before its 60-day comment period has expired.

HHS is taking comments on the rule in two parts. The deadline for comments on the rule’s information collection requirements are due September 8. Presumably, if there’s a problem with the collection requirements, HHS wants to know before the rule goes into effect.

Comments on the overall provisions of the rule are due by October 23, 2009.

Let the Preemption Begin

Contrary state law will be preempted by the breach notification regulations. HHS has already heard about this issue, and in the final interim rule it requests more feedback.

HHS refers to HIPAA for the definition of “contrary,” writing, “a State law is contrary if ‘a covered entity could find it impossible to comply with both the State and federal requirements’ or if the State law ‘stands as an obstacle to the accomplishment and execution of the full purposes and objectives’ of the breach notification provisions in the Act.”

HHS believes that in general covered entities can comply with both state laws and its regulation. For example, it notes that, “in most cases,” it believes a single notification can satisfy requirements under both state and federal law.

California may be the caveat in HHS’s belief. In many ways the state’s breach laws are stricter than the HHS rule and may make it difficult for an entity to meet both laws with a single notice. That’s the topic of a story in this month’s print journal, which takes a look how California entities are teasing apart state and federal breach notification laws. They highlight the challenge organizations everywhere face in determining responsibilities under ARRA’s new privacy regulations.

In “Reports Pour in under CA’s New Privacy Laws,” the Journal reports on the California Department of Public Health, which has been fielding and investigating incidents of unauthorized record access since California’s new breach notification laws took effect on January 1.

The first applications from aspiring health IT resource centers are due in two weeks—September 8. The Office of the National Coordinator for Health Information Technology will award grants in two additional cycles with initial deadlines in December and June. ONC announced the deadlines in a press event last week.

Program details and the full application schedule appears in the funding opportunity announcement on the Health and Human Services health IT Web site. Applications will be screened in two phases. Successful preliminary applicants will be requested to submit a full application for merit review.

The centers are part of the HITECH Act in the American Recovery and Reinvestment Act (ARRA). ONC released a draft plan for public comment in late May.

The regional centers will furnish education, outreach, and technical assistance to help providers select, successfully implement, and meaningfully use certified EHR technology.  They will also help providers achieve, through appropriate available infrastructures, exchange of health information in compliance with applicable statutory and regulatory requirements, and patient preferences.

ONC expects to establish 70 or more centers supporting 100,000 primary care providers. Each center will serve a defined geographic area.

The Federal Trade Commission and the Department of Health and Human Services both have final breach notification rules in hand, though neither has been published in the Federal Register. Publication is expected in the coming days, possibly as soon as tomorrow.

The HHS regulations apply to covered entities under HIPAA. The FTC rule addresses noncovered entities, in particular, vendors of personal health records.

Both rules stick close to the programs as described in ARRA. In time FTC is expected to turn over its responsibilities to HHS, but until then the industry will have to navigate both regulations. (Look for full analysis once the rules are published

HHS had a second deadline this week to issue final guidance on securing protected health information. The guidance relates to the data breach regulations, specifying the methods that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. HHS issued a proposed rule in April, with final guidance to come.

The Health IT Policy Committee, created under ARRA to advise HHS’s Office of the National Coordinator for Health IT, accepted a subcommittee recommendation that multiple bodies be authorized to certify health IT products as part of the ARRA “meaningful use” adoption incentives. The full committee in turn made the recommendation to the Office of the National Coordinator, which in coordination with the Centers for Medicare and Medicaid Services, will ultimately determine the details of the program this fall. The committee recommended that the Certification Commission for Healthcare Information Technology, the only current certifying body, serve solo in the near-term.

Today HHS secretary Kathleen Sebelius and vice president Joseph Biden held a press event highlighting the $1.2 billion in ARRA provisions for regional health IT centers and a nationwide health information exchange network.

On Tuesday, the Agency for Healthcare Research and Quality announced it will publish grant and contract solicitations for comparative effectiveness research this fall. ARRA appropriated $300 million for the program.

The ARRA funding will focus initially on 14 priority conditions established by Health and Human Services under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, according to the notice.

Since 2005 AHRQ has focused its CER efforts through the  Effective Health Care Program, which was authorized under the Medicare Prescription Drug, Improvement, and Modernization Act. The program provides “systematic reviews and develops other translational information and tools designed to inform health care decision making,” according to AHRQ, and “advances the methodology of [CER] and provides training grants to enhance the pool of researchers who can perform CER.”

Funding will begin in spring 2010. The solicitations will be published in the NIH Guide for Grants and Contracts.

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.

ARRA did not detail the exact content of the disclosures. The Department of Health and Human Services must deliver those requirements this month, advised by a federally appointed policy committee. Once HHS defines the required content, a second advisory committee will recommend the technical standards to enable the disclosures by the end of this year. By June 2010, HHS must promulgate the final rule on disclosures.

Providers are concerned that it is not technically possible to track every access to every patient record. Some feel such accounting would slow down access to records, time that could be spent treating a patient.

“It is very, very tough [technologically],” says Cassi Birnbaum, director of health information and privacy officer at Rady Children’s Hospital of San Diego. “We can require that everyone does a quick disclosure whenever they are handing information out to somebody outside of the organization. But when you are disclosing information to another clinician, that would be so disruptive to patient care.”

When disclosing information for treatment, HIM professionals will now have to also mind the “minimum necessary” provisions of HIPAA—which state that only the information necessary for an action to be carried out can be disclosed. Organizations have struggled with determining “minimum” since the day the HIPAA rule took effect. HHS is currently compiling guidance on what constitutes the minimum necessary for treatment disclosures in anticipation of the new provisions.

But privacy advocates like Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, DC, keep the end goal in site. McGraw, who serves on the advisory committee developing disclosure policy recommendations, feels that patients have a basic right to know who is accessing their medical records.

Gerry Hinkley, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco, agrees. The provision helps give possession of a patient’s health record back to the patient, he says. “If your caregiver shares the information with somebody else, really for any purpose, it is your information and you should know to whom and when.”

The ARRA legislation may have underestimated the wide variance in today’s EHR systems, but legislators did recognize that most existing systems cannot meet the accounting of disclosures rule today. Organizations using EHR systems purchased before January 1, 2009, have until January 2014 to comply with the provision.

Purchasers of new systems are under a much tighter deadline. Healthcare entities that purchase a system after January 1 of this year must be compliant with the new provision as of January 1, 2011. Therefore, organizations currently in the market for an EHR should discuss the provision thoroughly with vendors.

Out-of-Pocket Costs

A separate ARRA provision gives patients the right to prevent the disclosure of health data to their health insurance plans if they paid for the treatment out of their own pockets. Complying with this request will require separating out records generated from treatment that was paid personally by the patient, a technically difficult task in the EHR. Previous state and federal law have not set these requirements, buyers never requested the functionality, and vendors have not incorporated it in their systems.

When payers evaluate a claim, typically they request the entire medical record to determine if the treatment was medically necessary, McGraw says. The ARRA provision comes out of some patients’ fears that insurance providers could use certain medical information to modify coverage. The segregated records most likely would be mental health records from psychotherapy sessions, or certain reproductive health services not covered by most insurance.

In addition to the technical challenges, the law raises administrative questions. Organizations will require policies establishing who can and cannot access segregated information. If files are masked from payers, the EHR would have to unmask information when it is needed for treatment.

Ideally, McGraw says, you don’t want to resort to keeping separate systems.

While this segregation of records is both technically and administratively challenging, Hinkley believes actual requests for this type of action will be uncommon. Usually when patients receive treatment they want their health insurance to pay for it, he notes.

Electronic Copies of Electronic Records

The limitations of current technology also complicates an ARRA provision that requires providers to give patients electronic copies of their electronic health records upon request. State law varies on this requirement, with most states, including California, defaulting to HIPAA regulations. Under HIPAA, providers are required to give a copy of a patient’s record in the format requested, but only if documents are “readily producible” in that format.

But ARRA removes the “readily producible” language and outright requires any facility using an EHR to provide an electronic copy of a patient’s health record. Many current EHR systems cannot directly produce an electronic copy of a record by burning it onto a disk or downloading it to a memory stick, Birnbaum says.

“There isn’t an exception for entities that have older legacy systems where you can’t produce an electronic copy,” McGraw notes. “There is no grandfather clause, no easing in.”

HIM professionals have already encountered this wrinkle at the state level. In Illinois, a bill proposing that patient information stored electronically must be produced electronically for release of information requests was amended after state healthcare associations argued that most current EHR systems were incapable of meeting the requirement. The subsequent law requires that a facility unable to produce its electronic documents in an electronic format as requested must send a letter to the requestor explaining why it cannot fulfill the request.

Again, entities shopping for EHR systems must discuss the requirement with vendors to ensure they will be compliant with the law. Birnbaum notes that the provision creates an opportunity for vendors and third-party developers to create add-ons that enable systems to reproduce records electronically.

The funding is part of $220 million appropriated by ARRA, the American Recovery and Reinvestment Act, to train workers for employment in high-growth and emerging industry sectors. The request for grant applications appeared in the July 22, 2009, issue of the Federal Register.

ETA expects to fund 45 to 65 grants ranging from approximately $2 to $5 million. The period of grant performance will be up to 36 months.

The request for proposals makes special mention of the health information technology field, which it defines as the “juncture of information management, medical practice, and the complex business of healthcare delivery. HIT leverages information management training and resources to improve quality and efficiency standards in the health care industry.”

Changes in the field, it notes, “will require new and updated skill sets for a range of clinical occupations (including nursing and allied health professionals), medical record technicians, coders, health information technicians, and other health information technology professionals…”

To promote quality training, career mobility, and rapid implementation, ETA strongly encourages applicants to use existing curricula and industry-recognized certificates or degrees.

Public entities or private nonprofit entities are eligible, and they must demonstrate that their proposed projects will be implemented by a “robust strategic partnership.” Required partners must include at least one entity from each of the following three categories: the public workforce investment system, public and private employers and industry-related organizations, and the education and training community.