West Virginia E-Prescribing Regulations

On January 4, 2008, the West Virginia Board of Pharmacy filed a Notice of Emergency Rule amending CSR 15-1, Licensure and Practice of Pharmacy, implementing the requirements of SB 1001 (See SB 69 and HB 2289) passed during the 2007 Legislative Session permitting electronic prescribing (e-prescribing) of legend drugs in West Virginia, including through the use of electronic data intermediaries.

The Board also filed on January 4, 2008, the Notice of a Comment Period on a Proposed Rule amending CSR 15-1, Licensure and Practice of Pharmacy. Comments on the Proposed Rule must be submitted before February 8, 2008.

The summary and statement of circumstances included in the notice reads:

SB 1001, passed during the First Special Session, 2007, and duly enacted into law, permits electronic prescribing (e-prescribing) of legend drugs in this State, including through the use of electronic data intermediaries as defined therein. SB 1001 contains the following directive to the West Virginia Board of Pharmacy as set forth in West Virginia Code Section 30-5-12C(d): "The board shall promulgate emergency rules pursuant to the provisions of article three, chapter twenty-nine-a of this code to implement and enforce the provisions of this section." E-prescribing is already being done by prescribers around the state, with the amount and frequency of electronic prescriptions being received by pharmacies increasing each day as the technology becomes more accepted and available in the industry. While the current rules allowed for electronic transmission of prescriptions, SB 1001 states that e-prescribing may not be done in this State until emergency rules are promulgated, and further sets additional parameters defining this growing area. As such, the e-prescribing currently being done in this State is being done without appropriate legislative rules in place to protect the integrity, privacy, security and confidentiality of the prescription orders. In addition, prescription drug diversion is an ongoing problem in this State and nation; e-prescribing done correctly is one method to combat the problem often perpetrated through passing fraudulent written prescriptions. Finally, e-prescribing aids in the accuracy of prescriptions by more timely presenting them electronically from the prescriber's office to the pharmacy in a clearly legible format, thus reducing fill-errors and facilitating patient compliance with the prescribed treatment.

Given these factors, the Legislature, through its deliberative process, has determined that an emergency exists requiring the need for emergency rules to govern the use of e-prescribing and electronic data intermediaries in this State for patients to access prescription medications in a safe and efficient manner. Therefore, in accordance with that directive, the purpose of this emergency rule is to revise existing rules governing issuance of prescription orders to set specific standards to govern e-prescribing in West Virginia, thereby protecting the public health, safety, and welfare with regard to restricted drugs which may only be obtained by patients with a proper prescription.

Advocating The Need For A Federal Data Breach Disclosure Law

Information Week's Security Blog advocates for a federal data breach disclosure law in this post, The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law.

Thanks to the HIPAA Blog for point out the article. I agree with Jeff Drummond's conclusion. After having analyzed overlapping and different state disclosure requirements as a part of assisting clients with data breach issue a federal approach is the direction we should go. (caveat: it should require total preemption - not partial preemption like HIPAA privacy).

A federal approach would help set a national industry standard that can be clearly understood, implemented and followed by those who regularly deal in data, health care or otherwise. The state-by-state patchwork of different laws that currently exist create a complexity that is not needed.

For more on the ongoing complexity issue check out California's recently revised law (AB1298) that recently took effect. AB1298 effective January 1, 2008, expands the coverage and protections to medical information and health insurance information under California's State Information Practices Act.

A clear and concise national approach would simplify compliance for those required to maintain and protect data, including health care providers maintaining health information. Customers and patients who expect their data to be maintained would also benefit by a simplified approach and uniform law that provides for a consistent level of breach notification and protection.

For more on state security breach notification legislation/laws check out the National Conference of State Legislatures website page "Breach of Information". Last updated in April 2007, it states "thirty-five states have enacted legislation requiring companies and/or state agencies to disclosure security breaches involving personal information." I suspect this number will increase after the 2008 legislative sessions around the country.

Also, NCSL provides a summary of data breach notification legislation introduced by year. For 2007, they list three bills introduced (but not passed) before the West Virginia Legislature:

WEST VIRGINIA

WV H 2175	Sponsor: Marshall (D) Title: Acquisition of Security Compromising Data Introduced: 01/16/2007 Location: House Judiciary Committee Summary: Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Status: 01/16/2007 INTRODUCED. 01/16/2007 To HOUSE Committee on JUDICIARY.

WV H 2263	Sponsor: Brown (D) Title: Clean Credit Information and Identity Theft Protection Introduced: 01/16/2007 Location: House Judiciary Committee Summary: Ensures clean credit information and identity theft protection (FN). Status: 01/16/2007 INTRODUCED. 01/16/2007 To HOUSE Committee on JUDICIARY.

WV H 2705

Sponsor: Marshall (D) Title: Consumer Right to Impose Freeze on Credit Reports Introduced: 01/30/2007 Location: House Judiciary Committee Summary: Establishes a procedure whereby a consumer may implement a security freeze to prohibit a consumer reporting agency from releasing all or any part of the consumer's credit report. Status: 01/30/2007 INTRODUCED. 01/30/2007 To HOUSE Committee on JUDICIA

As a result of high profile cases like this one that occurred in West Virginia, we will again see activity this year in West Virginia.

2008 WV Legislature: Modification to WV Mental Health Confidentiality Provisions

iHealthBeat (courtesy of Daily Mail) reports on proposed House Bill 4020 introduced last week before the West Virginia Legislature to modify W.Va. Code 27-3-1 authorizing the disclosure of certain mental health records to the National Instant Criminal Background Check System.

According to the article, West Virginia is one of about 24 states that do not allow the release of records to the database. Some states have declined to participate in the federal database because of privacy concerns.