MSBCBS of TN Settles HIPAA/HITECH Violation for $1.5M

The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.

The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.

ONC Issues Final Rule for EHR Temporary Certification Program

Last Friday the Office of National Coordinator for Health Information Technology (ONC) issued a final rule providing the details on how organizations can be authorized by ONC to test and certify EHR technology. ONC discusses the details the Temporary Certification Program.

Certification is important because the Medicare and Medicaid EHR incentives under HITECH require the use of certificate EHR technology for eligible hospital and providers to recieve payments under the incentive program.

For more information check out the Temporary Certification Program information on the ONC Health IT website, including a link to a complete copy of the Temporary Certification Program Final Rule.

More information from Government Health IT, ONC launches health IT certification program and iHealthBeat, ONC To Start Accepting Bids for Entities to Certify EHR Products.

UPDATE (6/24/2010): The official Federal Register version of the Final Rule is now available: 45 CFR Part 170, Establishment of the Temporary Certification Program for Health Information Technology; Final Rule (75 Fed. Reg. 36158, June 24, 2010). The Final Rule is effective on June 24, 2010.

SAMHSA and ONC: FAQs on Substance Abuse Confidentiality Regulations for HIEs

The Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office of the National Coordinator for Health Information Technology (ONC) announced last week the release of FAQs for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs).

Cover letter regarding the FAQs by Pamela S. Hyde, the Administrator of SAMHSA, and David Blumenthal, National Coordinator for ONC. The letter describes that the the Substance Abuse Confidentiality Regulations under 42 CFR Part 2 were enacted years ago (circa 1975). Due to the age of the regulations SAMHSA and ONC created the FAQs to provide guidance and understanding of the scope of these regulations in the context of today's move toward an electronic health information system.

The FAQs outline the general requirements under 42 CFR Part 2, provide guidance on its application to HIEs, and identify methods for including substance abuse related health information into HIEs that is consistent with the Federal statute.

As a follow-up to the release of the FAQs, SAMHSA and ONC will convene a meeting of concerned or interested parties from both the Behavioral Health and Information Technology (BH-IT) communities on August 4, 2010. The meeting will be an opportunity for SAMHSA and ONC to receive questions and comments on the FAQs.

The FAQs for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs) provide information on the following 37 questions:

1. Does the federal law that protects the confidentiality of alcohol and drug abuse patient records allow information about patients with substance use disorders to be included in electronic health information exchange systems?
2. What types of providers are covered programs under 42 CFR Part 2 (“Part 2”)?
3. What patients, and which records and information, are protected by 42 C.F.R Part 2?
4. For the purposes of the applicability of 42 CFR Part 2, does it matter how HIOs are structured?
5. Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
6. Under Part 2, can a Qualified Service Organization Agreement (QSOA) be used to facilitate communication between a Part 2 program and an HIO?
7. May information protected by Part 2 be made available to an HIO for electronic exchange?
8. If Part 2 information has been disclosed to the HIO, either pursuant to a Part 2- compliant consent form authorizing such disclosure or under a QSOA, may the HIO then make that Part 2 information available to HIO-affiliated members?
9. How do different HIO patient choice models regarding whether general clinical health information may be disclosed to or through an HIO (e.g., no consent, opt in or opt out) affect the requirements of 42 CFR Part 2?
10. If an HIO is holding or storing Part 2 patient data through a QSOA, can the HIO redisclose the data coming from the Part 2 program to a third party without patient consent?
11. What are the required elements of a patient consent under Part 2?
12. What must a Part 2 program do to notify the HIO, or any other recipient of Part 2 protected information, that it may not redisclose Part 2 information without patient consent?
13. Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties, such as HIO affiliated members?
14. Does Part 2 allow the use of multiple-party consent forms?
15. Does Part 2 require the use of original signed consents?
16. Under Part 2, may an HIO release demographic information about Part 2 patients without patient consent?
17. Under Part 2, can an HIO reveal that a patient had an encounter at a mixed use facility (or “general medical” facility – see FAQ #2) as long as the HIO does not reveal that the patient was in the mixed use facility’s Part 2 program? A mixed use facility can be defined as a service provider organization that provides substance abuse treatment services as well as other health services such as primary care, dental care, mental health services, social services, etc.
18. Under Part 2, can an HIO use a consent form that provides for disclosure to “HIO members” and refers to the HIO’s website for a list of those members?
19. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to future HIO affiliated health care providers?
20. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to health care providers who are providing on-call coverage for HIO affiliated health care providers or with whom those affiliated providers consult?
21. Can a Part 2 patient consent be used to enable multiple disclosures?
22. Can a Part 2 program or HIO use a consent form that has no specific expiration date but rather states that disclosure is permitted until consent is revoked by the patient?
23. Is “treatment” a sufficient description of the intended purpose of a disclosure on a Part 2 consent?
24. Under Part 2, can any health care provider make the determination that a medical emergency exists, or must a Part 2 provider make that determination?
25. May a computer system be used to automatically determine whether a medical emergency exists and whether a disclosure of Part 2 data can be made without the patient’s consent?
26. If a medical emergency exists, can the entire Part 2 record be released?
27. For documentation purposes, if a medical emergency is present, would it be permissible under Part 2 to have treating providers simply check a drop down box signifying the existence of such a medical emergency?
28. Under Part 2, may an HIO system make clinical decision support functions (such as showing a patient’s medications to clinicians when they write prescriptions, automatically ordering medications, and/or alerting clinicians about potential drug interactions) available to HIO affiliated health care providers in a medical emergency?
29. Does the Part 2 definition of medical emergency also include mental health emergencies?
30. When the HIO keeps an electronic record of a medical emergency, does that fully meet Part 2’s requirement to document disclosures made in a medical emergencies in the patient’s record?
31. If an HIO’s electronic system makes a disclosure in a medical emergency, would documenting the name of the discloser as “electronically disclosed through the system administered by HIO” meet Part 2’s requirement that the name of the person who made the disclosure be documented in the patient’s record?
32. If an HIO’s electronic system sends Part 2 data in a medical emergency to a printer or fax machine in the emergency room, can “the printer in the emergency department” meet Part 2’s requirement to document in the patient’s record the name of the person to whom the disclosure was made?
33. Once Part 2 information is disclosed in a medical emergency, can that information be redisclosed without obtaining patient consent?
34. If a patient has previously refused to consent to the release of his/her Part 2 record to a particular HIO affiliated health care provider, and then the patient is brought to that provider in a bona fide medical emergency situation, can that provider gain access through the HIO to the information without the patient’s consent under Part 2?
35. Can an HIO disclose data for Disease Management purposes under Part 2 without patient consent?
36. Under Part 2, would an HIO be permitted to disclose to an HIO affiliated payer the data of several patients held by the HIO, which may include Part 2 data, in order for the payer to target where interventions could be made with particular patients to improve care and management of disease?
37. If an HIO affiliated health care provider wishes to gain access to a minor’s Part 2 record held by the HIO, may the HIO or provider obtain only the consent of a parent or guardian, or must the minor’s consent also be obtained?

WV HIT Funding Under HITECH: WVHIN Gets $7.8M and WV REC gets $6M

Health and Human Services Secretary Sebelius and the National Coordinator for Health Information Technology, David Blumenthal, announced the HITECH funding under the ARRA for State Health Information Exchanges (HIEs) and Regional Extension Center (RECs) across the country.

The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.

West Virginia will receive the following funding:

• West Virginia Department of Health and Human Resources in conjunction with the West Virginia Health Information Network HIE Award: $7,819,000

• West Virginia Health Improvement Institute, Inc. REC ward:$6,000,000

More information about the health information technology programs and awards can be found on the Office of National Coordinator HIT Website.

• State Health Information Exchange Cooperative Agreement Program

• Health Information Technology Extension Program

HISPC Reports on State Health Information Law, Business Practice and Policy

The Office of the National Coordinator for Health Information Technology (ONC) has made available a compendium of reports which detail variations in state health information law, business practices and policy related to privacy and security of health information and the electronic exchange of health information.

The reports were developed in 2009 as a part of the ongoing efforts of the Health Information Security and Privacy Collaboration (HISPC) that started in 2006 when I had the the opportunity to work on the initial round of HISPC work as it related to West Virginia. The efforts by HISPC was to take a national look (at a state level) on the privacy and security challenges faced by the variation of state laws, policies and practices.

The reports will be a great resource for those who regularly look at state health information legal issues. Following are the summaries of the five reports along with links to the various tables/appendices:

• Report on State Medical Record Access Laws This report analyzes state laws that are intended to require health care providers (specifically, medical doctors and hospitals) to afford individuals access to their own health information and to identify potential barriers to the electronic exchange of health information. Specific state law provisions examined: scope of medical records to which patients are afforded access, format of information furnished, deadlines for responding to requests, fees for furnishing copies, record retention laws and access to records of minors.
• Report on State Law Requirements for Patient Permission to Disclose Health Information In Phase I of the HISPC project a majority of participants reported significant variation in the business practices and policies surrounding the need for and process of obtaining patient permission to use and disclose personal health information for a variety of purposes, including for treatment. This report furthers the initial work of this project by collating and analyzing state laws that govern the disclosure of identifiable health information for treatment purposes to identify commonalities and differences.
• Releasing Clinical Laboratory Test Results: Report on Survey of State Laws For this report, state statutes and regulations were analyzed to determine to whom clinical laboratories may release test results. This report focused on clinical laboratory and hospital licensing laws (that contain standards for hospital laboratories). It also examined general state medical record access laws to determine whether they provided an avenue for patients to access their clinical laboratory results directly.
• Report on State Prescribing Laws: Implications for e-Prescribing This report identifies and analyzes the impact and variation of state laws related to e-prescribing. The report addresses state laws related to the e-prescribing of controlled and non-controlled substances as well as topics such as record keeping and content requirements, out-of-state prescriptions, and generic substitution laws.
• Perspectives on Patient Matching: Approaches, Findings, and Challenges This report analyzes various approaches to matching patients to their health information in the context of electronic health information exchange. Current and potential methods for matching patients to their health records are discussed, challenges to performing patient matching such as scalability and ease of use are analyzed, and the types of information some HIOs use to match patients to their health records is described.

CMS and ONC Issue Rules on Proposing a Definition of Meaningful Use and Setting Standards for EHR Incentive Program

Yesterday the Centers for Medicare & Medicare Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued two regulations laying the foundation for improving quality, efficiency and safety through meaningful use of certified electronic health record (EHR) technology.

The two regulations are part of the implementation of the EHR incentive programs for physicians and hospitals enacted under the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). CMS issued a proposed rule outlining the proposed provisions governing the EHR incentive programs, including defining the central concept of “meaningful use” of EHR technology. ONC issued an interim final regulation setting forth the initial standards, implementation specifications, and certification criteria for EHR technology.

For more details see the following CMS Press Release. Also, CMS has issued Fact Sheets on the proposed regulations:

• CMS Proposes Requirements for the Electronic Health Records (EHR) Medicaid Incentive Payment Program
  
• CMS Proposed Requirements for the Electronic Health Records (EHR) Medicare Incentive Program
  
• CMS Proposes Definition of Meaningful Use of Certified Electronic Health Records (EHR) Technology

Below are links to complete copies of the rules. Once they are published in the Federal Register I will update with the specific Fed Reg details. Some light reading for the New Year!

Medicare and Medicaid Programs; Electronic Health Record Incentive Program
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.
ACTION: Proposed rule.
SUMMARY: This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology. The proposed rule would specify the-- initial criteria an EP and eligible hospital must meet in order to qualify for the incentive payment; calculation of the incentive payment amounts; payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs and eligible hospitals failing to meaningfully use certified EHR technology; and other program participation requirements. Also, as required by ARRA the Office of the National Coordinator for Health Information Technology (ONC) will be issuing a closely related interim final rule that specifies the Secretary’s adoption of an initial set of standards, implementation, specifications, and certification criteria for electronic health records. ONC will also be issuing a notice of proposed rulemaking on the process for organizations to conduct the certification of EHR technology.

Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology
AGENCY: Office of the National Coordinator for Health Information Technology,
Department of Health and Human Services.
ACTION: Interim final rule.
SUMMARY: The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.

Chief Data Rights Officer

I love the creative and mind opening nature of Twitter tweets. Simple 140 character thoughts, questions, queries, etc.

As a lawyer who deals with pages, reams, volumes, boxes, rooms of written information on a daily basis I'm often amazed (and pleased) by the depth of concepts that can be expressed through 140 characters.

Example from today, @SusannahFox's tweet:

@SusannahFox What if, instead of a chief #privacy officer, ONC changed the conversation and appointed a chief data rights officer?

Susannah gets my "tweet of the day" award.

WVHIN Releases RFP for West Virginia Health Information Exchange

Today the West Virginia Health Information Network released a Request for Proposal (RFP) for a statewide Health Information Exchange. More information, including the deadlines, bidder worksheets and a full copy of the RFP are available on the WVHIN website.

Following are sections from the RFP that provide a general overview of the proposed West Virginia Health Information Exchange and a general scope of the RFP:

The West Virginia Health Information Network (WVHIN) is soliciting proposals to provide a statewide Health Information Exchange (HIE) infrastructure platform for physicians, hospitals, other health care organizations, and consumers. The purpose of this Request for Proposal (RFP) is to obtain vendor services and expertise in support of the WVHIN. Details on the scope of work, requirements and deliverables are contained in this RFP. WVHIN reserves the right to use the results of this RFP to obtain services for additional and related work should the need arise throughout the course of this project . . .

. . . According to the eHealth Initiative’s Sixth Annual Survey of Health Information Exchange 2009, there are almost 200 self‐reported HIE initiatives across the country with a substantially increased number of organizations that reported being operational. The impetus for HIEs has increased as a result of the passage of the American Recovery and Reinvestment Act (ARRA) of 2009 and specifically key provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act. These provisions called for the Office of the National Coordinator (ONC) to create a program to engage in collaborative agreements with states or “qualified” state‐designated non‐profit, multistakeholder partnerships to “conduct activities to facilitate and expand the electronic movement and use of health information among organizations according to nationally recognized standards.” . . .

. . . There are 1.8 million people in the very rural state of West Virginia with a high level of elderly and low‐income people in many of the rural areas. With a geographically dispersed population, access to and coordination of care is a critical issue. To serve this rural population, there is a relatively high number of hospitals with less than 100 beds and a high level of clinics serving the underserved making access and care coordination both difficult and essential. Based on the population profile and the number of small providers, a strong case was made for the need for a statewide HIE, which will help providers overcome communication and geographic barriers to access and coordination of care.

The WVHIN was established in July 2006 by the West Virginia Legislature at the request of the Governor. The WVHIN is a sub‐agency under the West Virginia Health Care Authority. The intent of the legislation was for the WVHIN “to promote the design, implementation, operation and maintenance of a fully interoperable statewide network to facilitate public and private use of health care information in the state”. With this authority, the WVHIN established a multi‐stakeholder board and has been working with stakeholders to develop and implement a state‐level HIE. . .

. . . With this mandate, the WVHIN established a vision to enable “high quality, patient centered care facilitated by health information technology”. The WVHIN mission is as follows: “The West Virginia Health Information Network provides the health care community a trusted, integrated and seamless electronic structure enabling medical data exchange necessary for high quality, patient‐centered care.” Guiding principles have been established around collaboration, facilitation of patient‐centric care, enabled participation by all providers, quality improvement, patient participation, privacy and security, and sustainability.

The WVHIN, along with health systems, physicians, other providers, payers, and consumers, has a unique opportunity to establish a state‐level HIE infrastructure that helps communities and regions share data across organizations. The WVHIN is well positioned to provide a cost‐effective HIE infrastructure that benefits from economies of scale while enabling communities to develop their own unique solutions. As a convener and collaborator, the WVHIN will build bridges between health care stakeholders to launch and fund HIEs. It will help communities address complex issues such as setting standards for interoperable data exchange, addressing liability, setting policies for privacy and security, and exchanging data across state lines. It will collaborate with other health information technology (HIT) and HIE initiatives such as the Regional Extension Center (REC) to be initiated, public health, Medicaid, and others, to leverage collective resources. WVHIN activities are being pursued within the parameters of the West Virginia Statewide Health Information Technology Strategic Plan. WVHIN is one of several participating entities that jointly developed the strategic plan.

ONC: Health IT Buzz

The Office of the National Coordinator for Health Information Technology (ONC) has launched a second blog called the Health IT Buzz Blog.

Just a few weeks ago ONC announced the new Federal Advisory Committee Blog (FACA Blog).

The initial post by Dr. David Blumenthal, MD, MPP, National Coordinator for Health Information Technology, talks about the importance of using technology to continue the conversation on Health IT and create a forum for engagement.

Dr. Blumenthal's post goes on to state:

We intend to address a wide and diverse range of timely topics relevant to the “why’s and how’s” of efforts to support the secure and seamless exchange of electronic health information. We will discuss our ongoing work to protect patient privacy, secure information, and implement standards. We’ll also be using the blog to provide additional information regarding our new grant programs. And the conversation wouldn’t be complete without discussing the meaningful use rulemaking and incentive programs, clarifying our vision and addressing key challenges.

We want to hear from citizens, patients, health professionals, managers, policymakers, technology enthusiasts and technology skeptics. We can’t succeed unless we understand the wishes and concerns of the many constituencies we serve. So join us.

Tip to @ahier who pointed out the new ONC Blog.

Federal Advisory Committee Blog (FACA Blog)

The Office of the National Coordinator for Health Information Technology (ONCHIT) has launched a new blog called the Federal Advisory Committee Blog (FACA Blog).

The initial post by Judy Sparrow discusses that the FACA Blog will be uses in a spirit of transparency and collaboration to help open a broader dialogue on the issues before the Health IT Standards Committee and the Health IT Policy Committee. The post also provides some background on the role that Federal Advisory Groups play under the Federal Advisory Committee Act.

The second post by Aneesh Chopra, Federal Chief Technology Officer, spells out the planned process for an open conversation that will take place over the next couple of weeks with various committee members blogging about a variety of topics (Proposed Standards, Interoperability, Vocabularies, Privacy, Security, Quality, Implementation Cases Studies).

The FACA Blog allows individuals to share public comments on each post and has an RSS feed. Great to see ONCHIT using a blog platform to quickly and efficiently distribute information about the ongoing work being done by the committees to further the health information technology efforts under HITECH.

West Virginia's Statewide Health Information Technology Strategic Plan

Over the past several months I have been involved with a group in developing West Virginia's statewide strategic plan for health information technology.

The final draft of the West Virginia Health Information Technology Statewide Strategic Plan, September 2009 is now available for review and comment. Additional comments and feedback on the strategic plan are welcome.

The strategic plan is a part of West Virginia's efforts to position itself as a national leader in implementing and adopting health information technology to improve our health care system. The strategic plan will be a part of the the state's efforts to submit applications to the Office of the National Coordinator for Health Information Technology (ONC) for funding under the State Health Information Exchange Cooperative Agreement Program and the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, both programs developed under the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology, Subtitle B.

The project has been lead by the Adoption of Health Information Technology Workgroup under the West Virginia Health Improvement Institute. Both private and public stakeholders from across West Virginia have collaborated and provided input into the development of the strategic plan.

NCVHS: Report of Hearing on "Meaningful Use" of Health Information Technology

The National Committee on Vital and Health Statistics (NCVHS) has issued its initial Report of Hearing on "Meaningful Use" of Health Information Technology.

The May 18,2009 report is directed to David Blumenthal, MD, National Coordinator of Office of the National Coordinator for Health Information Technology. The cover letter indicates that NCVHS will be sending additional observations related to the hearing.

The Hearing on "Meaningful Use" of Health Information Technology was held on April 28-29, 2009. More information about the hearing can be found at the NCVHS website, including a copy of the hearing transcript and copies of the individual written testimony submitted by those individuals who testified at the hearing. You can also listen to a recorded version of the hearing in the NCVHS hearing archives.

ONC Developing Online Project To Educate Consumers About PHRs

Government Health IT reports that the the Office of the National Coordinator (ONC) is developing an online model containing information for consumers about personal health records (PHRs) and the privacy policies related to their use. ONC's effort appears targeted at engaging consumer to make more informed decisions about the use of PHRs.

The Office of the Secretary for HHS issued a notice of Agency Information Collection Request and 30 day Comment Request, 74 Federal Register 24012 (May 22, 2009), providing details of the proposed project.

If others have additional information on this project -- please leave a comment.

The abstract in the Federal Register notice states:

A new health information technology, the personal health record (PHR), seeks to provide consumers with the capability to directly manage their own health information. Although PHRs can exist in different formats or media (i.e., paper or electronic), the term usually refers to an online record containing an individual’s personal health information. PHRs typically include information such as health history, vaccinations, allergies, test results, and prescription information. Given the newness of the electronic PHR concept, the different ways to establish PHRs, and the sensitivity of personal health information, ONC is taking steps to establish that useful facts about PHRs and PHR privacy policy information be made available to consumers so they can make informed decisions about selecting and using PHRs. Toward this end, ONC has a project to develop an online model for PHR providers.

The model will be developed to:

› Allow presentation of important PHR facts and policies to consumers,

› Allow consumers to understand and consistently compare PHR service provider policies with others, and

› Focus on the key information that may influence decisions and choices of PHR service provider.

The project includes iterative rounds of in-depth consumer testing during April–October 2009 to assess and analyze consumer understanding and input about the model. The model will be iteratively revised to design a final template that will allow PHR vendors to convey useful and understandable facts to consumers about their privacy, security, and information management policies. Testing will be conducted in six locations that cover the four geographic census regions and will include 90-minute, one-on-one, cognitive usability interviews with six to seven participants at each of six sites, for a total not to exceed 42 interviews. In addition, each participant will have been recruited through a 15-minute screening interview. The participants will be recruited according to U.S. census statistics for race/ethnicity, age, marital status, gender, and income. Also, the sample will include participants both familiar and unfamiliar with PHRs and participants who manage chronic health issues or a disease for themselves or others.

ONC Releases HIT ARRA Implementation Plan

The Office of the National Coordinator for Health Information Technology (ONC) has released an operating plan titled the Health Information Technology American Recovery and Reinvestment Act (ARRA) Implementation Plan.

The operating plan is included on the DHHS Agency Wide Plan page under the "List of Recovery Programs within HHS."

The operating plan outlines immediate actions to meet statutory requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the ARRA. The

The topic headings for the operating plan include:

A. Funding Table
B. Objectives
C-E. Activities, Characteristics and Delivery Schedules
F. Environmental Review Compliance
G. Measures
H. Monitoring/Evaluation
I. Transparency
J. Accountability
K. Barriers to Effective Implementation
L. Federal Infrascructure Investment

Thanks to Jim Tate (@jimtate) and John Chilmark (@john_chilmark) for pointing out the report.

WV Senator Rockefeller: The Health Information Technology Public Utility Act of 2009

Yesterday West Virginia Senator Jay Rockefeller introduced "The Health Information Technology Public Utility Act of 2009"(Senate Bill 890) to facilitate the nationwide adoption of electronic health records (EHRs) though an "open source" public utility model.

A copy of Senate Bill 890 is available on Thomas (GPO PDF version).  According to the press release the Act would:

• Create a new federal Public Utility Board within the Office of the National Coordinator for Health IT to direct and oversee formation of this HIT Public Utility Model, its implementation, and its ongoing operation.
• Implement and administer a new 21st Century Health IT Grant program for safety-net providers to cover the full cost of open source software implementation and maintenance for up to five years, with the possibility of renewal for up to five years if required benchmarks are met.
• Facilitate ongoing communication with open source user groups to incorporate improvements and innovations from them into the core programs.
• Ensure interoperability between these programs, including as innovations are incorporated, and develop mechanisms to integrate open source software with Medicaid and CHIP billing.
• Create a child-specific Electronic Health Record (EHR) to be used in Medicaid, CHIP, and other federal children’s health programs.
• Develop and integrate quality and performance measurement into open source software modules.

HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?

On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) "unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.

HHS's press release on the guidance states:

The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).

The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC's new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.

David Blumenthal, MD Named New National Coordinator for Health Information Technology

Various news sources report today that David Blumenthal, MD, former Harvard Medical School professor, has been selected by the Obama administration to lead the Office of the National Coordinator for Health Information Technology (ONC). HHS press release provides additional detail on Dr. Blumenthal.

Thanks to John Halamka for the tip who writes about Dr. Blumenthal in his post, "Hail to the IT Chief."

ONCHIT Issues Nationwide Privacy and Security Framework for Electronic Exchange of Health Information

Today the Office of the National Coordinator for Health Information Technology (ONCHIT) issued The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The summary states that the framework creates a set of consistent principles to:

". . .address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation's adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network."

Along with the Nationwide Privacy and Security Framework the Department of Health and Human Services (HHS) has issued The Health IT Privacy and Security Toolkit. The Toolkit includes new HIPAA Privacy Rule guidance documents developed by the ONCHIT and the Office for Civil Rights (OCR) to help facilitate the electronic exchange of health information.

Of particular interest to many interested in PHRs will be the OCR's guidance on Personal Health Records and the HIPAA Privacy Rule and the draft Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance (the "Leavitt Label").

The Toolkit provides information and guidance focused around these key areas:

• Individual Access Principle - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction Principle - Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
• Openness and Transparency Principle - There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
• Individual Choice Principle - Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
• Collection, Use, and Disclosure Limitation Principle - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
• Data Quality and Integrity Principle - Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
• Safeguards Principle - Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
• Accountability Principle - These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

I have only made an initial pass though the information and guidance documents. There is a lot to read and digest over the holidays. Please post in the comments your thoughts on the new federal principles and guidelines.

ONC-Coordinated Federal HIT Strategic Plan: 2008-2012

Today the Office of the National Coordinator for Health Information Technology (ONC) released "The ONC-Coordinated Federal Health Information Technology Strategic Plan: 2008-2012". Find more information here, including a synopsis of the full report.

The plan is meant to serve as a guide to coordinate the federal government's health IT efforts to achieve a nationwide implementation of an interoperable health information infrastructure.

Robert Kolondner, MD, National Coordinator for Health Information Technology states in the synopsis summary:

Looking toward the future, we can envision a health care system that is centered on each and every individual patient. Clinicians will have at their fingertips all of the information needed to provide the best care; individuals will have access to this and other information that can help them engage and insert their values in the decision-making process about their health and care; and, secure and authorized access to health data will provide new ways that biomedical research and public health can improve individual health, and the health of communities and the Nation.

The synopsis goes on to state that the plan has two goals -- "patient focused health care and population health" and describes them as follows:

Patient-focused Health Care: Enable the transformation to higher quality, more cost-efficient, patient-focused health care through electronic health information access and use by care providers, and by patients and their designees.

Population Health: Enable the appropriate, authorized, and timely access and use of electronic health information to benefit public health, biomedical research, quality improvement, and emergency preparedness.

Each goal has four objectives and the themes of privacy and security, interoperability, adoption, and collaborative governance recur across the goals, but they apply in very different ways to health care and population health.

I've only had a chance to scan the synopsis and the 115 page full report but should make for interesting reading for anyone involved in the ongoing evolution of our health care system and the impact that health technology is having on the industry.