OCR Update on Issuance of HIPAA HITECH Rulemaking

Update from Office for Civil Rights (OCR) on issuance of the Notice of Proposed Rulemaking (NPRM) implementing changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH). Health care organizations and health lawyers have been anxiously awaiting rules implementing and interpreting the changes because the effective date for many of the HITECH requirements was February 17, 2010. Of particular interest has been whether or not health care organizations are required to amend business associate agreement.

The notice seems to indicate that the the date for compliance and enforcement may be delayed since it states that the NPRM "will provide specific information regarding the expected date of compliance and enforcement." However, covered entities and business associates need to weigh the risks of not complying with the new requirements while waiting for further clarification from OCR.

The notice states:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

WV HIT Funding Under HITECH: WVHIN Gets $7.8M and WV REC gets $6M

Health and Human Services Secretary Sebelius and the National Coordinator for Health Information Technology, David Blumenthal, announced the HITECH funding under the ARRA for State Health Information Exchanges (HIEs) and Regional Extension Center (RECs) across the country.

The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.

West Virginia will receive the following funding:

• West Virginia Department of Health and Human Resources in conjunction with the West Virginia Health Information Network HIE Award: $7,819,000

• West Virginia Health Improvement Institute, Inc. REC ward:$6,000,000

More information about the health information technology programs and awards can be found on the Office of National Coordinator HIT Website.

• State Health Information Exchange Cooperative Agreement Program

• Health Information Technology Extension Program

State Attorney General HIPAA HITECH Enforcement

My health law colleague, David Harlow, covers the news today on the first HIPAA enforcement action taken by a state attorney general under the new HITECH provision of American Recovery and Reinvestment Act of 2009 (ARRA).

David's post, HIPAA enforcement by state attorney general: The shape of things to come, provides a good summary of the announcement by the Connecticut Attorney General. More information via the Connecticut Attorney General press release.

The lawsuit filed by the Connecticut Attorney General Richard Blumenthal (coincidentally brother of David Blumenthal, National Coordinator of Health Information Technology) alleges that a health insurer, Health Net of Connecticut, Inc., failed to promptly notify the AG and other officials of a missing portable computer disk drive that contained unencrypted protected health information, Social Security numbers and bank accounts for approximately 446,000 individuals. The lawsuit also named UnitedHealth Group Inc. and Oxford Health Plans, LLC who acquired ownership of Health Net of Connecticut. The action also seeks a court order against Health Net to encrypt all information held on electronic devices.

Since the early days of HIPAA implementation and compliance there has largely been a lack of real enforcement efforts. The new provisions under HITECH allowing state attorney generals to file HIPAA enforcement actions on behalf of the public bring a new era of enforcement against health care providers who are unfortunate to have a health data breach and fail to properly respond to such breach in a timely manner.

David offers some good advice and takeaway points to health care providers and others who regularly handle health information. It is not enough to have policies and procedures in place but to regularly monitor whether they are being followed. Today's health data is liquid and it can flow in many directions. Providers need to understand where and how data is stored, used and transferred.

CMS and ONC Issue Rules on Proposing a Definition of Meaningful Use and Setting Standards for EHR Incentive Program

Yesterday the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued two regulations laying the foundation for improving quality, efficiency and safety through meaningful use of certified electronic health record (EHR) technology.

The two regulations are part of the implementation of the EHR incentive programs for physicians and hospitals enacted under the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). CMS issued a proposed rule outlining the proposed provisions governing the EHR incentive programs, including defining the central concept of “meaningful use” of EHR technology. ONC issued an interim final regulation setting forth the initial standards, implementation specifications, and certification criteria for EHR technology.

For more details see the following CMS Press Release. Also, CMS has issued Fact Sheets on the proposed regulations:

• CMS Proposes Requirements for the Electronic Health Records (EHR) Medicaid Incentive Payment Program
  
• CMS Proposed Requirements for the Electronic Health Records (EHR) Medicare Incentive Program
  
• CMS Proposes Definition of Meaningful Use of Certified Electronic Health Records (EHR) Technology

Below are links to complete copies of the rules. Once they are published in the Federal Register I will update with the specific Fed Reg details. Some light reading for the New Year!

Medicare and Medicaid Programs; Electronic Health Record Incentive Program
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Proposed rule.
SUMMARY: This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology. The proposed rule would specify the-- initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements. Also, as required by ARRA the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule that specifies the Secretary’s adoption of an initial set of standards, implementation, specifications, and certification criteria for electronic health records. ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.

Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology
AGENCY: Office of the National Coordinator for Health Information Technology,
Department of Health and Human Services.
ACTION: Interim final rule.
SUMMARY: The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.

HIPAA Enforcement Meets HITECH: HIPAA Administrative Simplification: Enforcement Rule

On October 30, 2009, the Secretary of the Department of Health and Human Services (HHS) issued the HIPAA Administrative Simplification: Enforcement Interim Final Rule, 45 CFR Part 160 (74 Federal Register 56123, October 30, 2009).

This new rule was developed and adopted by HHS to conform the enforcement regulations under HIPAA to the revisions made to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The rule amends the HIPAA enforcement regulations to include the imposition of tiered ranges for civil money penalty amounts based upon an increasing culpability associated with the violation. A full chart of the violation categories and related amounts can be found in the rule.

The interim final rule is effective on November 30, 2009. Comments on the rule can be made prior to December 29, 2009.

Congressional Members Concerned About HHS Inclusion of "Harm Standard" In Breach Notification Rule

Members of the U.S. House of Representative submitted an October 1, 2009 letter of concern to Secretary Sebelius and the Department of Health and Human Services (HHS) concerning inclusion of a "harm standard" in the recently released(August 24, 2009) Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740.

HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.

The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.

Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.

ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect

Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?

Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.

The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.

The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.

OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.

Below are links to the full regulation text:

• OCR Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740 (Aug 24, 2009).
  

• OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).
  

• Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.

UPDATE (July 29, 2010):

Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:

Breach Notification Final Rule Update

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

West Virginia's Statewide Health Information Technology Strategic Plan

Over the past several months I have been involved with a group in developing West Virginia's statewide strategic plan for health information technology.

The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.

The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.

The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.

OCR Designates HIPAA Regional Office Privacy Advisors

The Acting Director and Principal Deputy Director for the Office for Civil Rights, Robinsue Frohboese, has designated Office for Civil Rights Regional Managers in each of the HHS Regional Offices to serve as the Regional Office Privacy Advisors. On July 27, 2009, Secretary Sebelius authorized the Director of the Office for Civil Rights to carry out the designation required under the Health Information Technology for Economic and Clinical Health (HITECH) Act (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).

The designation of these Regional Office Privacy Advisors was mandated by the ARRA-HITECH provisions under Section 13403(a). The Regional Office Privacy Advisors will offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules

The names, addresses, and contact information for each of the Regional Managers are listed together with a list of the States for which each Regional Manager has responsibility are listed below:

Region I - Boston (Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F. Kennedy Federal Building - Room 1875
Boston, MA 02203
Voice phone(617)565-1340
FAX (617)565-3809
TDD (617)565-1343

Region II - New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Michael Carter, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza - Suite 3312
New York, NY 10278
Voice Phone (212)264-3313
FAX (212)264-3039
TDD (212)264-2355

Region III - Philadelphia (Delaware, District of Columbia, Maryland, Pennsylvania, Virginia, West Virginia)
Paul Cushing, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
Main Line (215)861-4441
Hotline (800) 368-1019
FAX (215)861-4431
TDD (215)861-4440

Region IV - Atlanta (Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, Tennessee)
Roosevelt Freeman, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Atlanta Federal Center, Suite 3B70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Voice Phone (404)562-7886
FAX (404)562-7881
TDD (404)331-2867

Region V - Chicago (Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin)
Valerie Morgan-Alston, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Voice Phone (312)886-2359
FAX (312)886-1807
TDD (312)353-5693

Region VI - Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Ralph Rouse, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (214)767-4056
FAX (214)767-0432
TDD (214)767-8940

Region VII - Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
601 East 12th Street - Room 248
Kansas City, MO 64106
Voice Phone (816)426-7277
FAX (816)426-3686
TDD (816)426-7065

Region VIII - Denver (Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming)
Velveta Howell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1961 Stout Street -- Room 1426 FOB
Denver, CO 80294-3538
Voice Phone (303)844-2024
FAX (303)844-2025
TDD (303)844-3439

Region IX - San Francisco (American Samoa, Arizona, California, Guam, Hawaii, Nevada)
Michael Kruley, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
90 7^th Street, Suite 4-100
San Francisco, CA 94103
Voice Phone (415)437-8310
FAX (415)437-8329
TDD (415)437-8311

Region X - Seattle(Alaska, Idaho, Oregon, Washington)
Linda Yuu Connor, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
2201 Sixth Avenue - M/S: RX-11
Seattle, WA 98121-1831
Voice Phone (206)615-2290
FAX (206)615-2297
TDD (206)615-2296

ONC Releases HIT ARRA Implementation Plan

The Office of the National Coordinator for Health Information Technology (ONC) has released an operating plan titled the Health Information Technology American Recovery and Reinvestment Act (ARRA) Implementation Plan.

The operating plan is included on the DHHS Agency Wide Plan page under the "List of Recovery Programs within HHS."

The operating plan outlines immediate actions to meet statutory requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the ARRA. The

The topic headings for the operating plan include:

A. Funding Table
B. Objectives
C-E. Activities, Characteristics and Delivery Schedules
F. Environmental Review Compliance
G. Measures
H. Monitoring/Evaluation
I. Transparency
J. Accountability
K. Barriers to Effective Implementation
L. Federal Infrascructure Investment

Thanks to Jim Tate (@jimtate) and John Chilmark (@john_chilmark) for pointing out the report.

Update On HIT Policy and Standards Committees

Last week the Federal Register (April 29, 2009) contained a Notification of the Establishment of the HIT Policy Committee and HIT Standards Committee. I had previously posted about the creation of these committee and recommended suggested members.

More information will be made available via the "new" Health Information Technology website of the Office of the National Coordinator.

The summary of the notice on establishing the HIT Policy Committee states:

This notice announces the establishment of the HIT Policy Committee. The American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), section 13101, directs the establishment of the HIT Policy Committee.

The HIT Policy Committee (also referred to as the "Committee'') is charged with recommending to the National Coordinator a policy framework for the development and adoption of a nationwide health information technology infrastructure that permits the electronic exchange and use of health information as is consistent with the Federal Health IT Strategic Plan and that includes recommendations on the areas in which standards, implementation specifications, and certification criteria are needed. The HIT Policy Committee is also charged with recommending to the National Coordinator an order of priority for the development, harmonization, and recognition of such standards, specifications, and certification criteria.

The notice outlines the criteria for members of the HIT Policy Commitee and states that the appointments shall be made in the following manner:

• 1 member shall be appointed by the majority leader of the Senate;
• 1 member shall be appointed by the minority leader of the Senate;
• 1 member shall be appointed by the Speaker of the House of Representatives;
• 1 member shall be appointed by the minority leader of the House of Representatives;
• Such other members as shall be appointed by the President as representatives of other relevant Federal agencies;
• 13 members shall be appointed by the Comptroller General of the United States of whom-
• 3 members shall be advocates for patients or consumers;
• 2 members shall represent health care providers, one of which shall be a physician;
• 1 member shall be from a labor organization representing health care workers;
• 1 member shall have expertise in health information privacy and security;
• 1 member shall have expertise in improving the health of vulnerable populations;
• 1 member shall be from the research community;
• 1 member shall represent health plans or other third-party payers;
• 1 member shall represent information technology vendors;
• 1 member shall represent purchasers or employers; and
• 1 member shall have expertise in health care quality measurement and reporting.
• Non-federal members of the Committee shall be Special Government
• Employees, unless classified as representatives.

The summary of the notice on establishing the HIT Standards Committee states:

This notice announces the establishment of the HIT Standards Committee. The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), section 13101, directs the establishment of the HIT Standards Committee. The HIT Standards Committee (also referred to as the "Committee'') is charged with making recommendations to the National Coordinator on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of adoption, consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee.

The notice outlines the criteria for members of the HIT Standards Commitee and states that the appointments shall be made in the following manner:

The HIT Standards Committee shall not exceed thirty (30) voting members, including a Chair and Vice Chair, and members are appointed by the Secretary with input from the National Coordinator. Membership of the Committee shall at least reflect providers, ancillary healthcare workers, consumers, purchasers, health plans, technology vendors, researchers, relevant Federal agencies, and individuals with technical expertise on health care quality, privacy and security, and on the electronic exchange and use of health information and shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of the Committee. Non-Federal members of the Committee shall be Special Government Employees, unless classified as representatives.

Thanks for the tip on the issuance of the notice to John Halamka at Life as a Healthcare CIO: Next Steps on the HIT Policy and Standards Committees.



UPDATE (5/7/09): Brian Ahier (@ahier) provides the latest update on with information on the first meetings of the HIT Policy Committee on May 11 and HIT Standards Committee meeting on May 15. Brian also provides links to the announcment by the GAO of 13 of the members of the HIT Policy Committee.

The announcment includes a list of the 13 members appointed by the Acting Comptroller General covering 10 different categories:

Advocates for Patients or Consumers

1. Christine Bechtel, Washington, D.C. (3 year term)
Vice President, National Partnership for Women & Families

2. Arthur Davidson, M.D., Denver Colorado (2 year term)
Denver Public Health Department; Director, Public Health Informatics; Director, Denver Center for Public Health Preparedness; Medical epidemiologist; Director, HIV/AIDS Surveillance, City and County of Denver

3. Adam Clark, Ph.D., Austin, Texas (1 year term)
Director of Research and Policy, Lance Armstrong Foundation

Representatives of Health Care Providers, including 1 physician

4. Marc Probst, Salt Lake City, Utah (3 year term)
Chief Information Officer, Intermountain Healthcare

5. Paul Tang, M.D., Mountain View, California (2 year term)
Vice President and Chief Medical Information Officer, Palo Alto Medical Foundation

Labor Organization Representing Health Care Workers

6. Scott White, New York City, New York (1 year term)
Assistant Director, Technology Project Director, 1199 SEIU Training and Employment Fund

Expert in Health Information Privacy & Security

7. LaTanya Sweeney, Ph.D., Pittsburgh, Pennsylvania (3 year term)
Director, Data Privacy Lab, Associate Professor of Computer Science, Technology and Policy, Carnegie Mellon University

Expert in Improving the Health of Vulnerable Populations

8. Neil Calman, M.D., New York City, New York (2 year term)
President and CEO, The Institute for Family Health, Inc.
Research Community

9. Connie Delaney, R.N., Ph.D., Minneapolis, Minnesota (1 year term)
Dean, School of Nursing, University of Minnesota

Representative of Health Plans or Other Third-Party Payers

10. Charles Kennedy, M.D., Camarillo, California (3 year term)
Vice President, Health Information Technology, Wellpoint, Inc.
Representative of Information Technology Vendors

11. Judith Faulkner, Verona, Wisconsin (2 year term)
Founder, CEO, President, Chairman of the Board, Epic Systems Corporation
Representative of Purchasers or Employers

12. David Lansky, Ph.D., San Francisco, California (1 year term)
President and CEO, Pacific Business Group on Health

Expert in Health Care Quality Measurement and Reporting

13. David Bates, M.D., Boston, Massachusetts (3 year term)
Medical Director for Clinical and Quality Analysis, Chief of General Internal Medicine, Partners HealthCare/Brigham & Women’s Hospital

More information on the upcoming meetings:

• HIT Standards Commitee - Federal Register (May 6, 2009) announcement of meeting.
• HIT Policy Committee - Federal Register (May 6, 2009) announcement of meeting.
  

HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?

On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) "unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.

HHS's press release on the guidance states:

The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).

The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC's new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.

ARRA Timelines

John Halamka at Life as a Healthcare CIO provides a good overview of the timeline and deadlines for the health information technology portions under the American Recovery and Reinvestment Act of 2009 (ARRA).

UPDATE (3/17/09): John Halamka has also added a summary of Timeline for ARRA Privacy Provisions which was based on work by Markle Foundation and the Center for Democracy and Technology.

Nominees for HITECH HIT Policy Committee and HIT Standards Committee

The Thursday, March 13 Federal Register (74 Fed Reg 10743) contained a notice for submitting nominees to the new committees created under ARRA-HITECH (stimulus bill) for developing health information technology standards and policy. The two commitees will be called the HIT Standards Commitee and HIT Policy Commitee. Details on these committees and the type of stakeholder representation on the commiteeis outlined in the notice listed below.

After seeing the notice I pushed it out to a variety of health colleagues via Twitter asking the question, "Who would you nominate?" The viral social networking nomination process was off and running and a Health Twitterstorm was started with many responses and recommended nominees. To view the process check out the tag #NominateHIT.

Jen McCabe Gorman (@jenmccabegorman) started to aggregate potential nominees to be submitted by the deadline of March 16. She has generously offered to coordinate the response and submit them to the ONC.

So far the results of potential nominees:

• First Batch of Nominees
• Second Batch of Nominees
• Third Batch of Nominees (with instructions on what Jen plans to do with the submissions)
  

UPDATE: Jen McCabe Gorman aggregated all the nominees in one post. If you are interested in having your name submitted as a nominee - please follow the instructions by Jen listed in her post. Deadline for submission is today.

A number of people asked about my nominees so I thought I would add them here. Here goes in no particular order (if you find your name below and want to be considered please forward your information to Jen McCabe Gorman here):

Jane Sarasohn-Kahn, Health Economist, Health Populi

Christopher Parks, CEO of change:healthcare

John D. Halamka, MD, MS, CIO CareGroup Health System, Chief Information Officer and Dean for Technology at Harvard Medical School

Scott Shreeve, CEO ofCrossover Healthcare

Josh Lemieux, Markle Foundation

Jay Parkinson, MD, Hello Health

Jen McCabe Gorman, Health Management RX

Matthew Holt, Health Care Strategist and Co-Founder, Health 2.0

Jonathan Bush, CEO of Athena Health

Peter Neupert, VP Health Solutions Group, Microsoft

Roni Zeiger, MD, Product Manager, Google Health

Enoch Choi, MD, Partner, Palo Alto Medical Foundation, MedHelp.org

Marty Tenenbaum, Health 2.0 Accelerator Visionary

David Kibbe, Senior Advisor American Academy of Family Physicians

Amy Tenderich, Writer, Blogger, Consultant, Patient Advocate www.DiabetesMine.com

Adam Bosworth, CEO of Keas

Sarah Chouinard, MD, Community Health Network of WV

John Wiesendanger, CEO of West Virginia Medical Institute, Inc.
 

REMEMBER:
Change Doesn't come from Washington. Change comes to Washington.
President Obama



DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the National Coordinator for Health Information Technology; HIT Standards Committee and HIT Policy Committee Nomination Letters

ACTION: Notice on letters of nomination.

SUMMARY: The American Recovery and Reinvestment Act of 2009 (Act), Public Law 111–5 amends the Public Health Service Act (PHSA) to add new sections 3002 and 3003. The new section 3003 of the PHSA establishes the HIT Standards Committee to make recommendations to the National Coordinator for Health Information Technology on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of health information technology adoption. The HIT Standards Committee members are to be appointed by the Secretary of the Department of Health and Human Services with the National Coordinator taking a leading role. Membership of the HIT Standards Committee should at least reflect the following categories of stakeholders and will include other individuals: providers, ancillary healthcare workers, consumers, purchasers, health plans, technology vendors, researchers, relevant Federal agencies, and individuals with technical expertise on health care quality, privacy
and security, and on the electronic exchange and use of health information.

In addition, we also seek nominations to the HIT Policy Committee (established by the new section 3002 of
the PHSA), which makes recommendations to the National Coordinator on the implementation of a nationwide health information technology infrastructure. The HIT Policy Committee will consist of at least 20 members. Three of these members will be appointed by the Secretary of the Department of Health and Human Services. Of the three members, one must be a representative of the Department of Health and Human Services and one must be a public health official. If, 45 days after the enactment of the Act, an official authorized under the Act to make appointments to the HIT Policy Committee has failed to make anappointment(s), the Act authorizes the Secretary of HHS to make such appointments. The Department of Health and Human Services is consequently accepting nominations for the HIT Policy Committee. New section 3008 of the PHSA allows the Secretary to recognize the NeHC (if modified to be consistent with the requirements of section 3002 and 3003 of the Act and other federal laws) as either the HIT Policy Committee or the HIT Standards Committee. At this time, the Department of Health and Human Services is evaluating options regarding the National eHealth Collaborative and its role in relation to those Committees. For appointments to either the HIT Standards Committee or the HIT Policy Committee, I am announcing the following: Letters of nomination and resumes should be submitted by March 16, 2009 to ensure adequate opportunity for review and consideration of nominees prior to appointment of members.

ADDRESSES: Office of the National Coordinator, Department of Health and Human Services, 200 Independence Avenue, NW., Washington, DC 20201, Attention: Judith Sparrow, Room 729D.

E-mail address:
HIT_FACA_nominations@hhs.gov.
Please indicate in your letter or e-mail to which Committee your nomination belongs.

FOR FURTHER INFORMATION CONTACT:
ONC/HHS, Judith Sparrow, (202) 205–4528.
Authority: The American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5), section 13101.
Dated: March 9, 2009.
Robert M. Kolodner,
National Coordinator for Health Information Technology, Office of the National Coordinator for Health Information Technology.
[FR Doc. E9–5391 Filed 3–9–09; 4:15 pm]
BILLING CODE 4150–45–P

WHCC Leadership Summit on Consumer Connectivity

Today I am attending the World Health Care Congress2nd Annual Leadership Summit on Consumer Connectivity in Carlsbad, CA. Good presentations and discussion with those in attendance. You can follow the conference via Twitter at #WHCC2 or get live blogging at EKIVE by Mark Schrimshire using Cover It Live.

I just finished up my afternoon presentation with Rod Piechowski with the American Hospital Association on the topic of Overcoming Legal and Policy Barriers for Health IT Adoption. With the recent passage of ARRA 2009 we thought it valuable to talk about the changing landscape of Health IT as a result of the new bill. Below are the slides from my presentation.

Overcoming Legal Barriers HIT Adoption

View more presentations from Bob Coffield. (tags: arra hitech)