Last week the industry got an early look at the Department of Health and Human Service’s much-anticipated data breach notification rule. Today the rule was published in the Federal Register, making it official. The rule takes effect September 23, 2009.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.
(more…)

Update, September 2: HHS has posted new and revised program materials online: a transcript of its August 27 technical assistance conference, an FAQ, and a revised preliminary application template.

The first applications from aspiring health IT resource centers are due in two weeks—September 8. The Office of the National Coordinator for Health Information Technology will award grants in two additional cycles with initial deadlines in December and June. ONC announced the deadlines in a press event last week.

Program details and the full application schedule appears in the funding opportunity announcement on the Health and Human Services health IT Web site. Applications will be screened in two phases. Successful preliminary applicants will be requested to submit a full application for merit review.

  (more…)

A flurry of ARRA-related activity this week, in part driven by some August 18 deadlines for the data breach notification provisions.

The Federal Trade Commission and the Department of Health and Human Services both have final breach notification rules in hand, though neither has been published in the Federal Register. Publication is expected in the coming days, possibly as soon as tomorrow.

The HHS regulations apply to covered entities under HIPAA. The FTC rule addresses noncovered entities, in particular, vendors of personal health records.

Both rules stick close to the programs as described in ARRA. In time FTC is expected to turn over its responsibilities to HHS, but until then the industry will have to navigate both regulations. (Look for full analysis once the rules are published

HHS had a second deadline this week to issue final guidance on securing protected health information. The guidance relates to the data breach regulations, specifying the methods that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. HHS issued a proposed rule in April, with final guidance to come. (more…)

The Agency for Healthcare Research and Quality will publish grant and contract solicitations for comparative effectiveness research in the fall, according to a notice in today’s Federal Register. AHRQ has $300 million appropriated through the American Recovery and Reinvestment Act to support of such research.

The ARRA funding will focus initially on 14 priority conditions established by Health and Human Services under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, according to the notice.

Since 2005 AHRQ has focused its CER efforts through the  Effective Health Care Program, which was authorized under the Medicare Prescription Drug, Improvement, and Modernization Act. The program provides “systematic reviews and develops other translational information and tools designed to inform health care decision making,” according to AHRQ, and “advances the methodology of [CER] and provides training grants to enhance the pool of researchers who can perform CER.”

Funding will begin in spring 2010. The solicitations will be published in the NIH Guide for Grants and Contracts.

A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process. (more…)

In the August print issue, Journal writer Chris Dimick describes the challenges California healthcare organizations face in determining their responsibilities under tough new state law on health data breach notification and even newer federal law created by ARRA.

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.
(more…)

The August 2009 cover story focuses on assessing physician practice readiness for electronic health records. Other features report on what physicians need to do to prepare for the transition to ICD-10-CM/PCS, how to make denials management a part of a practice’s daily work, the fundamentals for rapidly implementing an EHR, and how California healthcare facilities are faring under its new privacy breach laws. (more…)

The Federal Trade Commission announced today that it will further delay enforcement of the Red Flags Rule. Organizations now have until November 1, 2009, to become compliant. The rule was to go into effect Saturday, August 1.

FTC says the delay will allow organizations covered by the rule to further review its educational materials and prepare their compliance plans.

The anti-fraud regulation requires organizations that act as creditors to implement programs to identify, detect, and respond to “red flags” that could indicate identity theft. The final rule was published November 9, 2007, with an original compliance date of November 1, 2008. It has been delayed several times due to a lack of industry readiness and calls for more clarification and assistance in designing compliance plans.

A new AHIMA toolkit helps HIM professionals steer their organizations through the Recovery Audit Contractor (RAC) program.

 The “Recovery Audit Contractor (RAC) Toolkit” includes background on the program and an overview of the process, including what entities are eligible to be audited, the basis for the audits, and the type of audits. It also includes appendixes providing: (more…)

The Department of Labor announced $125 million in funding for projects that train workers to pursue careers in healthcare. The department’s Employment and Training Administration (ETA) has requested proposals to spend it, due October 5.

The funding is part of $220 million appropriated by ARRA, the American Recovery and Reinvestment Act, to train workers for employment in high-growth and emerging industry sectors. The request for grant applications appeared in the July 22, 2009, issue of the Federal Register.

ETA expects to fund 45 to 65 grants ranging from approximately $2 to $5 million. The period of grant performance will be up to 36 months. (more…)