Members of the U.S. House of Representative submitted an October 1, 2009 letter of concern to Secretary Sebelius and the Department of Health and Human Services (HHS) concerning inclusion of a "harm standard" in the recently released(August 24, 2009) Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740.
HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.
The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.
Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.
Congressional Members Concerned About HHS Inclusion of "Harm Standard" In Breach Notification Rule
Monday, 5 October 2009
ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect
Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
- OCR Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740 (Aug 24, 2009).
- OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).
- Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Create WV Conference 2009: A personal invitation to attend . . .
Tuesday, 22 September 2009
Over the last few years I have been involved in Create West Virginia, an organization affiliated with Vision Shared whose mission to create and stimulate new economy growth and empower West Virginians to grow creative communities in West Virginia
Each year Create WV holds an annual conference. The first annual conference was held in 2007 and attracted approximately 250 attendees. Last year’s event held at Snowshoe Resort and attracted 395 attendees. This year’s Create West Virginia 2009 Conference is set for October 18-20 in Huntington
I want to personally invite you to attend the Create West Virginia Conference 2009. Check out the keynote speakers and sessions.
A special attraction this year will be a live Mountain Stage performance on Sunday evening at the Keith Albee Theater featuringWest Virginia
Click here for more information about the conference including how to register.
Feel free to forward a link of this invitation to others who you think might be interested in attending the conference.
Each year Create WV holds an annual conference. The first annual conference was held in 2007 and attracted approximately 250 attendees. Last year’s event held at Snowshoe Resort and attracted 395 attendees. This year’s Create West Virginia 2009 Conference is set for October 18-20 in I want to personally invite you to attend the Create West Virginia Conference 2009. Check out the keynote speakers and sessions.
A special attraction this year will be a live Mountain Stage performance on Sunday evening at the Keith Albee Theater featuring
Click here for more information about the conference including how to register.
Feel free to forward a link of this invitation to others who you think might be interested in attending the conference.
West Virginia's Statewide Health Information Technology Strategic Plan
Thursday, 10 September 2009
Over the past several months I have been involved with a group in developing West Virginia's statewide strategic plan for health information technology.
The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.
The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.
The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.
The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.
The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.
The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.
Mandatory Reading Before President Obama's Speech Tonight On Health Care
Wednesday, 9 September 2009
This morning I finally got around to reading the article by David Goldhill, CEO of the Game Show Network, in the Atlantic. How American Health Care Killed My Father is a thought provoking look at the failure of our current health care system.
On the eve of President Obama's speech to Congress on health care I hope he and his advisors have taken time to read the article. The article eloquently highlights much of what I have come to believe over the last few years is missing from health care. It is a time to step back from the existing complex system and refocus on the health consumer and make fundamental changes to the existing system. Incremental change treating the symptoms and not the underlying disease will only solidify the current "insurance based, employment centered, administratively complex" system now in place.
There are too many great thoughts in this article to quote them all here -- so go read the full commentary.
Some of the quotes that caught my attention:
On the eve of President Obama's speech to Congress on health care I hope he and his advisors have taken time to read the article. The article eloquently highlights much of what I have come to believe over the last few years is missing from health care. It is a time to step back from the existing complex system and refocus on the health consumer and make fundamental changes to the existing system. Incremental change treating the symptoms and not the underlying disease will only solidify the current "insurance based, employment centered, administratively complex" system now in place.
There are too many great thoughts in this article to quote them all here -- so go read the full commentary.
Some of the quotes that caught my attention:
. . . Why, in other words, has this technologically advanced hospital missed out on the revolution in quality control and customer service that has swept all other consumer-facing industries in the past two generations? . . .
. . . All of the actors in health care—from doctors to insurers to pharmaceutical companies—work in a heavily regulated, massively subsidized industry full of structural distortions. They all want to serve patients well. But they also all behave rationally in response to the economic incentives those distortions create . . .
. . . Accidentally, but relentlessly, America has built a health-care system with incentives that inexorably generate terrible and perverse results. Incentives that emphasize health care over any other aspect of health and well-being. That emphasize treatment over prevention. That disguise true costs. That favor complexity, and discourage transparent competition based on price or quality. That result in a generational pyramid scheme rather than sustainable financing. And that—most important—remove consumers from our irreplaceable role as the ultimate ensurer of value . . .
. . . But health insurance is different from every other type of insurance. Health insurance is the primary payment mechanism not just for expenses that are unexpected and large, but for nearly all health-care expenses. We’ve become so used to health insurance that we don’t realize how absurd that is. We can’t imagine paying for gas with our auto-insurance policy, or for our electric bills with our homeowners insurance, but we all assume that our regular checkups and dental cleanings will be covered at least partially by insurance. Most pregnancies are planned, and deliveries are predictable many months in advance, yet they’re financed the same way we finance fixing a car after a wreck—through an insurance claim . . .
. . . My dry cleaner uses a more elaborate system to track shirts than this hospital used to track treatment . . .
. . . But my father was not the customer; Medicare was . . . Of course, one area of health-related IT has received substantial investment—billing. So much for the argument, often made, that privacy concerns or a lack of agreed-upon standards has prevented the development of clinical IT or electronic medical records; presumably, if lack of privacy or standards had hampered the digitization of health records, it also would have prevented the digitization of the accompanying bills . . . In case you wonder who a care provider’s real customer is, try reading one of these bills . . .
. . . Keeping prices opaque is one way medical institutions seek to avoid competition and thereby keep prices up. And they get away with it in part because so few consumers pay directly for their own care—insurers, Medicare, and Medicaid are basically the whole game. But without transparency on prices—and the related data on measurable outcomes—efforts to give the consumer more control over health care have failed, and always will . . .
OCR Designates HIPAA Regional Office Privacy Advisors
Thursday, 20 August 2009
The Acting Director and Principal Deputy Director for the Office for Civil Rights, Robinsue Frohboese, has designated Office for Civil Rights Regional Managers in each of the HHS Regional Offices to serve as the Regional Office Privacy Advisors. On July 27, 2009, Secretary Sebelius authorized the Director of the Office for Civil Rights to carry out the designation required under the Health Information Technology for Economic and Clinical Health (HITECH) Act (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).
The designation of these Regional Office Privacy Advisors was mandated by the ARRA-HITECH provisions under Section 13403(a). The Regional Office Privacy Advisors will offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules
The names, addresses, and contact information for each of the Regional Managers are listed together with a list of the States for which each Regional Manager has responsibility are listed below:
Region I - Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F. Kennedy Federal Building - Room 1875
Boston, MA 02203
Voice phone(617)565-1340
FAX (617)565-3809
TDD (617)565-1343
The designation of these Regional Office Privacy Advisors was mandated by the ARRA-HITECH provisions under Section 13403(a). The Regional Office Privacy Advisors will offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules
The names, addresses, and contact information for each of the Regional Managers are listed together with a list of the States for which each Regional Manager has responsibility are listed below:
Region I - Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F. Kennedy Federal Building - Room 1875
Boston, MA 02203
Voice phone(617)565-1340
FAX (617)565-3809
TDD (617)565-1343
Region II - New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Michael Carter, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza - Suite 3312
New York, NY 10278
Voice Phone (212)264-3313
FAX (212)264-3039
TDD (212)264-2355
Region III - Philadelphia (Delaware, District of Columbia, Maryland, Pennsylvania, Virginia, West Virginia)
Paul Cushing, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
Main Line (215)861-4441
Hotline (800) 368-1019
FAX (215)861-4431
TDD (215)861-4440
Region IV - Atlanta (Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, Tennessee)
Roosevelt Freeman, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Atlanta Federal Center, Suite 3B70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Voice Phone (404)562-7886
FAX (404)562-7881
TDD (404)331-2867
Region V - Chicago (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)
Valerie Morgan-Alston, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Voice Phone (312)886-2359
FAX (312)886-1807
TDD (312)353-5693
Region VI - Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Ralph Rouse, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (214)767-4056
FAX (214)767-0432
TDD (214)767-8940
Region VII - Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
601 East 12th Street - Room 248
Kansas City, MO 64106
Voice Phone (816)426-7277
FAX (816)426-3686
TDD (816)426-7065
Region VIII - Denver (Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming)
Velveta Howell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1961 Stout Street -- Room 1426 FOB
Denver, CO 80294-3538
Voice Phone (303)844-2024
FAX (303)844-2025
TDD (303)844-3439
Region IX - San Francisco (American Samoa, Arizona, California, Guam, Hawaii, Nevada)
Michael Kruley, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Voice Phone (415)437-8310
FAX (415)437-8329
TDD (415)437-8311
Region X - Seattle(Alaska, Idaho, Oregon, Washington)
Linda Yuu Connor, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
2201 Sixth Avenue - M/S: RX-11
Seattle, WA 98121-1831
Voice Phone (206)615-2290
FAX (206)615-2297
TDD (206)615-2296
Health Care Reform Explained from Back of the Napkin Blog
Sunday, 16 August 2009
Dan Roam at the Back of the Napkin Blog sums up the current health care reform effort in this four part health care series, Healthcare Napkins All. Great back of the napkin summary of health reform (actually insurance reform).
Thanks to Jay Parkinson MD for the tip.
Thanks to Jay Parkinson MD for the tip.
Subscribe to:
Posts (Atom)