Health Industry Washington Watch : Washington DC Healthcare Industry Law Firm : Reed Smith : Health Industry Washington Watch : Regulations, Medicare/Medicaid, Governmental Organizations

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act's mandate for the HHS Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. The pilot phase will include an initial 20 audits between November 2011 and April 2012, with the remaining audits scheduled to conclude by December 2012. In the pilot phase, OCR plans to audit covered individual and organizational providers of health services, health plans, and health care clearinghouses; business associates will be included in future audits. During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days. After fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review the report and provide written comments to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A number of Congressional committees have held hearings recently on health policy issues, including the following:

• A House Energy and Commerce Health hearing entitled “Do New Health Law Mandates Threaten Conscience Rights and Access to Care?”; 
• A Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on “Your Health and Your Privacy: Protecting Health Information in a Digital World”;
• A Senate Special Committee on Aging hearing on Assisted Living Quality and Oversight; and 
• A Senate Health, Education, Labor and Pensions (HELP) Committee hearing on "Improving Quality, Lowering Costs: The Role of Health Care Delivery System Reform.” 

A number of additional hearings and markups have been scheduled, including:

• A November 15 Senate HELP Committee hearing on “Medical Devices: Protecting Patients and Promoting Innovation”; 
• A November 15 House Ways and Means Oversight Subcommittee hearing on the ACA’s small business health insurance tax credit; 
• A December 6, 2011 Senate Judiciary Antitrust Subcommittee hearing on the proposed Express Scripts/Medco merger; and 
• An Energy and Commerce Health Subcommittee markup of H.R. 1173, the "Fiscal Responsibility and Retirement Security Act of 2011," which would repeal the ACA’s Community Living Assistance Services and Supports (CLASS) program. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 14, 2011, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules to give patients (and the patient's representatives) direct access to the patient’s own clinical laboratory test result reports. Specifically, the rule would provide that, upon a patient’s request, the laboratory would be required to provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. By amending the Privacy Rule, CMS would also preempt contrary state laws governing a patient’s direct access to lab result reports. Comments will be accepted through November 14, 2011, and CMS expects to publish a final rule responding to comments later this year.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The HHS Office of the National Coordinator for Health Information Technology (ONC) has released the final “Federal Health IT Strategic Plan.” The plan describes how the government will promote the meaningful use of health information technology (IT); use IT to improve care and population health while reducing costs; protect the privacy and security of electronic health information; empower individuals with access to their electronic health information; and use health IT to improve knowledge about health care across populations.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The OIG has released two reports on health information technology (HIT) security issues. The first report is entitled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight.” The review, involving seven hospital audits, the OIG concluded that CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the HIPAA Security Rule. Since CMS had limited assurance that controls were protecting electronic protected health information (ePHI), the confidentiality, integrity, and availability of ePHI were at risk. The OIG recommended that the HHS Office for Civil Rights (OCR) continue to conduct compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. A second OIG review, “Audit of Information Technology Security Included in Health Information Technology Standards,” concluded that the HHS ONC has not adopted HIT standards that included general information security controls (that is, structure, policies, and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls). The OIG recommended that ONC (1) address general IT security controls for supporting systems, networks, and infrastructures; (2) provide guidance to the health industry on established general IT security standards and best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate within HHS to add general IT security controls where applicable. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The HHS Office of the National Coordinator for Health Information Technology (ONC) is extending the public comment period on its “Federal Health IT Strategic Plan: 2011-2015 from April 22 to May 6, 2011. The updated plan describes how the government will promote the meaningful use of health information technology (IT); use IT to improve care and population health while reducing costs; protect the privacy and security of electronic health information; empower individuals with access to their electronic health information; and use health IT to study care delivery and payment systems.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Jacqueline B. Penrod.

The ONC will be hosting a free, day-long public roundtable to address the topic of Personal Health Records (PHRs) on December 3, 2010. The roundtable is designed to inform ONC’s Congressionally-mandated report on privacy and security requirements for non-covered entities, with a focus on personal health records and related service providers (Section 13424 of the HITECH Act). In conjunction with the conference, the ONC is seeking comments that particularly address: (i) privacy and security and emerging technologies; (ii) consumer expectations about collection and use of health information; (iii) privacy and security requirements for non-covered entities (such as PHR, mobile technology and social networking); and (iv) any other comments on PHRs and non-covered entities. The public comment period will close on December 10.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Substance Abuse and Mental Health Services Administration (SAMHSA) is conducting a study on “Confidentiality and Privacy Issues Related to Psychological Testing Data,” pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (a component of the American Recovery and Reinvestment Act). The study will address whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes also should be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.” As part of this study, SAMHSA is hosting a public meeting on November 18, 2010 in Los Angeles, California to bring together mental health and privacy protection professionals to discuss current practices and the policy implications surrounding this issue.  Registration is required.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Jacqueline B. Penrod.

The Office of the National Coordinator for Health Information Technology (ONC) will be hosting a free day-long public roundtable to address the topic of Personal Health Records on December 3, 2010. The roundtable is designed to inform ONC’s Congressionally-mandated report on privacy and security requirements for non-Covered Entities, with a focus on personal health records and related service providers (Section 13424 of the HITECH Act). Information about how to register for the roundtable will be available in October.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS) has announced that it is withdrawing from Office of Management and Budget (OMB) consideration its final rule intended to govern breach notifications involving unsecured protected health information. HHS states that it intends to publish a final rule “in the coming months.” An interim final rule on this topic has been in effect since September 23, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad Rostolsky.

On July 8, 2010, the HHS released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of the Health Information Technology for Economic and Clinical Health Act, included in the American Recovery and Reinvestment Act of 2009 (ARRA). The proposed modifications to the HIPAA Rules include provisions: extending the applicability of certain of the Privacy and Security Rules’ requirements to business associates of covered entities, establishing new limits on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule strengthens and expands HIPAA’s enforcement provisions. Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments are due 60 days after publication. The official version will be published July 14, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Jacqueline B. Penrod.

On April 26, 2010, HHS published a Request for Information (RFI) relating to the accounting of disclosures under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as expanded by the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new provisions expanded individual rights to receive an accounting of disclosures of their protected health information to include disclosures to carry out treatment, payment, and health care operations if the disclosure is through an electronic health record. The purpose of the RFI is to better understand (i) the interests of persons with respect to learning of disclosures; (ii) the administrative burden on covered entities and business associates of performing the accounting; and (iii) any other information that may inform rulemaking in this area. It sets forth nine specific questions for respondents to consider. Comments must be submitted by May 18, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The HHS Office of Civil Rights (OCR) has indicated that the agency will be delaying enforcement of the HITECH Act provisions under which Business Associates are required to directly comply with the HIPAA Privacy and Security Rules.  Although the statutory compliance date for the Business Associate requirement is February 17, 2010, Adam Greene, an OCR attorney, "unofficially" indicated in a recent speech that HHS will be exercising its enforcement discretion to not enforce the new provision until after a proposed and final rule on this subject have been promulgated.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the ARRA, requires covered entities to report to HHS within 60 days of discovery any breaches of protected health information that affect 500 or more individuals. The HHS Office for Civil Rights (OCR) has posted a list of covered entities that have reported such breaches of protected health information, and OCR will continue to update the list as it receives new reports. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Government Accountability Office (GAO) has issued a report entitled "Electronic Personal Health Information Exchange: Health Care Entities' Reported Disclosure Practices and Effects on Quality of Care." The report, which was required by the HITECH Act, reviews practices implemented by health information exchange organizations, providers, and other health care entities that disclose electronic personal health information, based on case studies of operational health information exchanges and a selection of each of the exchanges’ participating providers. The health care entities reported that they implement widely-accepted practices for safeguarding personal information to help ensure the appropriate use and disclosure of electronic personal health information for treatment purposes. In addition, both the exchanges and providers reported examples of ways that sharing electronic personal health information has had a positive effect on the quality of care that providers deliver to patients.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS is hosting a workshop on March 8 and 9, 2010 on methods for de-identification of protected health information (PHI) as designated in the HIPAA Privacy Rule. The meeting is designed to bring together experts with practical technical and policy experience to inform the creation of guidance materials on de-identification approaches.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link