The Privacy and Security requirements of the recently released Meaningful Use NPRM and Certification IFR have received a lot of attention due to their lack of definition. I joined in on the Jan 22 ONC Privacy & Security Workgroup meeting to discuss which topics the workgroup will comment on and send to the HIT Policy Committee. The topics included risk assessments, the phrase “implement security updates as necessary”, HIPAA investigations, privacy and data transparency, and “consumer preference”.
- Risk assessments – There is still a lot of concern about the lack of clarity surrounding risk assessments. The ONC will need to ensure that education on risk assessments is available, especially targeted at small providers. Most organizations currently think they are HIPAA compliant, but few would feel comfortable if the government performed a HIPAA audit, because there is no guidance as to what the government would audit against. Guidance is needed on the “intended outcomes” of MU Security objective and greater transparency, such as Audit Program Compliance Guidelines, is needed on the audit process that will be used. It is unlikely that any guidance will be available by the time the final rulings are released. Large organizations commonly perform internal or 3rd party security/privacy audits, but this is rare (and not feasible) among smaller providers. Many of the comments related to this topic will not change the objective but how the ONC responds to the need for additional information.
- “Implement security updates as necessary” – The term “updates” is both a technology (i.e. software update) and business process (i.e. modify password policy) term, and its intended meaning (whether one or the other or both) should be clearly stated. Time requirements were discussed, such as software security patches must be updated within 90 days of release, but this was thrown out due to complications of implementing updates, especially in enterprise settings.
- HIPAA Investigations – ~5k HIPAA investigations are currently underway. Unclear if these are ~5k different hospitals, individual doctors, multiple investigations per entity, etc. Unclear if an open investigation will prevent an eligible professional or hospital from receiving incentive payments. The “expected” length and cost of investigations will be important to allow providers to make informed decisions. Unclear which HIPAA investigation types are relevant to MU.
- Privacy and Data Transparency – No objectives or measures for privacy and data transparency are present in Stage 1. The Committee wants to propose these for Stage 2. “Accounting of disclosures” is included in Stage 1 and is already required by HIPAA. The connection between the security/certification piece and the MU/privacy piece is weak. For example, the capability to prevent many breaches is a part of certified EHR, but there are no objectives or measures to guide providers in the use of these certification criteria.
- “Consumer-preference” – Also referred to as “patient-choice” requirements, consent management, or access control. There was some disagreement as to what the proper language was to discuss patient preference. Dixie Baker, who is also involved in the Security Standards Workgroup, posted a presentation (available on the ONC website), to address Access Control and its relation to privacy. There is no IFR criteria for access control to help entities manage the patient consent requirement with which they must comply. This discussion was cut short due to time and will probably be completed in private conversation.
Refer to my previous post to join in on future workgroup meetings: https://singularityblog.wordpress.com/2010/01/11/upcoming-hit-policy-standards-committees-workgroup-meetings/
Posted in Uncategorized
Tagged Certification, HIPAA, meaningful use, NPRM, objective, ONC, policy committee, privacy, risk assessment, security, transparency
From Dr. John Halamka, CIO of CareGroup Health System in Boston, MA (original post here: The Timeline for ARRA Privacy Provisions), a bookmarked PDF-version of the American Recovery & Reinvestment Act that highlights sections relevant to HIT & privacy: http://ecommons.med.harvard.edu/ec_res/nt/A3B4A28D-987B-4271-B003-5A877B4F4E38/arrabookmarks.pdf
The rough timeline is below:
Upon enactment (February 16, 2009)
- Application of new tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410)
- Enforcement by State Attorney Generals for offenses occurring post enactment (Section 13410e)
Within 45 days of enactment (April 3, 2009)
- Appointment of HIT Policy Committee members (Section 3002b)
Within 60 days of enactment (April 18, 2009)
- HHS Secretary will issue guidance on methodologies and technologies that render information unreadable (Section 13402)
Within 180 ays of enactment (August 16, 2009)
- HHS and the Federal Trade Commission will promulgate interim final regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA or Business Associate agreements (Section 13402, 13407)
By December 31, 2009
- HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures (Section 3002b)
Due within one year post enactment (February 17, 2010)
- The Secretary will appoint a Chief Privacy Officer (Section 3001)
- The Office of Civil Rights and HHS will launch an education initiative to improve public transparency on the use of health information (Section 13403)
- The Government Accountability Office will report on best practices for disclosures for treatment and use of electronic informed consent (Section 13424)
- HHS will report on and provide guidance on de-identification (section 13424c)
- Covered entities must enter into Business Associate Agreements with PHRs, HIEs, and other services that handle projected health information (Section 13405e)
- HHS will issue rules on opting out of fundraising solicitations (Section 13406)
- HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule (Section 13401c)
- HHS and the Federal Trade Commission will report on privacy and security requirements for PHR vendors and applications
One year post enactment (February 17, 2010)
- HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities (Section 13409)
- HHS to issue rules on which entities are required to be business associates (Section 13401)
- Right to restrict disclosures to health plans for services paid for out of pocket (Section 13405a)
- HHS Secretary required to conduct periodic audits of entities covered by HIPAA (Section 13411)
- Right of electronic access of records by patients takes effect (Section 13405e)
Within 18 months of enactment (August 17, 2010)
- HHS guidance on minimum necessary data (Section 13405c)
- Regulations regarding sale of data prohibition which take effect 6 months post promulgation (Section 13405a)
- Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)
24 months post enactment (February 17, 2011)
- Clarification of ability to pursue civil penalties when criminal penalties are not pursued (Section 13405)
- Regulations for methodology for distributing penalties or settlement money to harmed individuals (Section 13410)
- Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)
- GAO will report on the impact of ARRA (Section 13424)
- Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)
- Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)