Archive for August, 2010
By Andrea Kraynak, CPC
The Chicago-based Certification Commission for Health Information Technology (CCHIT), and the Drummond Group Inc. (DGI) of Austin, TX are the first official certifiers of EHR technology, HHS announced August 30.
Healthcare providers and vendors can begin to seek certification for their EHR systems and technologies now that the Office of the National Coordinator for Health Information Technology (ONC) has named the first two authorized testing and certification bodies (ATCB). Providers must be using certified EHR technology to qualify for meaningful use incentive payments.
“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” David Blumenthal, MD, national coordinator for Health Information Technology, said in the press release. “This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”
Additional ATCBs may still be named, but in the meantime, the industry can begin lining up to have their EHRs tested and hopefully certified in time for the first round of incentive payments targeted for May 2011. Naming the bodies is one step, Blumenthal said. But actually certifying multiple vendors’ systems is another. He notes, however, that the health IT initiative “is on an aggressive schedule to meet the urgent targets set by Congress and the President.”
In the meantime, CMS is creating an online system for providers to register and attest to meaningful use for qualify for the programs, according to the press release.
To learn more about the initial ONC-ATCBs, visit their websites at www.cchit.org and www.drummondgroup.com. More information on the EHR incentive program is available at http://healthit.hhs.gov/certification.
Is it recommended to pre-program commonly used phone numbers to the fax machine to avoid human error in dialing and PHI released inappropriately?
Q. What additional language do BA contracts need to satisfy requirements of the HITECH Act, which is part of the American Recovery and Reinvestment Act?
A. BA contracts require amendments that address the following:
- New breach notification requirements as they pertain to BAs and their third-party contractors
- The responsibility of BAs that store patient or health plan member PHI electronically to provide PHI electronically to covered entities, patients, and health plan members who request electronic copies (depending on how covered entities intend to comply with this new requirement)
- Statutory requirement that BAs comply with the HIPAA security rule and the privacy rule’s use and disclosure provisions
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.
Editor’s note: This is the seventh in a series of tips in HIPAA Update on laptop security. The excerpts are courtesy of the HCPro, Inc. newsletter, Briefings on HIPAA.
Organizations that don’t allocate money for implementation of their security policies won’t successfully secure their laptop computers and portable devices, says Ali Pabrai, CISSP, CSCS, CEO of ecfirst, Inc., and CEO and cofounder of HIPAA Academy in Newport Beach, CA. If your organization’s executives don’t provide funding, you can’t pay for encryption and authentication.
Without proper security, “you’re back to where you might be the next name on the OCR list,” he says.
California, the state that signed a precedent-setting privacy law, fields more than 220 notifications of potential breaches from licensed facilities per month, according to numbers released by the state’s Department of Public Health.
From January 1, 2009, when law AB 211 went into effect, through May 31, 2010, entities have reported a total of 3,766 breaches. The law calls for health providers to prevent unlawful access, use, or disclosure of patients’ medical information and to report violations to DPH and the individuals affected.
The California Department of Public Health (CDPH), which enforces the law, receives notification of a little more than seven breaches a day. While California law calls for licensed entities to report any and all potential breaches, federal regulation currently allows providers a backdoor out.
In the HITECH interim final rule on breach notification, providers through the “harm threshold” provision may conduct a risk assessment to see if the potential breach causes a significant risk of financial, reputational or other harm to the patient.
If it doesn’t, no notification is required.
Congress did not write this into the HITECH Act. But the Office for Civil Rights (OCR), which on the federal level enforces the HIPAA privacy and security rules, included it through regulation.
In that regulation, published in the Federal Register August 24, 2009, many commenters suggested OCR add a “harm threshold such that an unauthorized use or disclosure of [personal health information] is considered a breach only if the use or disclosure poses some harm to the individual.”
Today, one year later, that rule is in effect, but on an interim basis. OCR submitted a final rule on breach notification for review by the Office of Management and Budget (OMB) but withdrew it earlier this month.
OCR did not specify why it withdrew the final rule, but some speculate OCR may remove the “harm threshold” and be more like California, where all breaches are reported.
Of those 3,766 breaches reported in the Golden State, California’s investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be “substantiated medical breaches.”
One California attorney says a harm threshold would help avoid the need to report innocuous breaches such as a fax going to the wrong provider.
“You add a huge expense and worry people” by reporting harmless breaches, said Paul Smith, partner with Davis Wright Tremaine LLP of San Francisco and co-chair of its health information privacy practice.
Most healthcare entities handle breaches in a “conscientious” way, Smith says.
“They understand that if there is a risk to the patient, it’s in everyone’s interests to provide notification.”
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, agrees that sending notification upon notification can unnecessarily panic people “who really are at no risk of harm.” “Secondly,” he says, “getting breach notifications every time a truly low-risk potential disclosure occurs will result in ‘warning fatigue.'”
It’s like the boy who cried wolf, and “people will ignore notices they get when there really is something to worry about,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”
“Some things we do out of an abundance of caution, because there’s really little or no downside to doing so,” Drummond adds. “Here, there really is a potential downside for giving warnings that aren’t really necessary.”
However, Drummond said he would not be surprised if the harm threshold were eliminated because Congress did not intend for it to be included in the final breach notification structure.
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?
When asked this week by HIPAA Update if it were considering removing the harm threshold, OCR deferred to its earlier statement posted on its website.
“This is a complex issue, and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR said of its reason to further review the breach notification final rule.
California, meanwhile, continues to operate without a harm threshold and as of May 31, the state has been able to investigate 51.8 percent of the cases reported.
The reported breaches break down as such:
- 2,914: Unintentional breach to person outside facility/healthcare system. Example: A patient’s prescription is faxed to the wrong number and ends up in a lawyer’s office instead of the corner pharmacy.
- 559: Unintentional breach by healthcare worker within the facility/healthcare system. Example: A nurse faxes a patient record to cardiology instead of radiology.
- 147: Malicious breach by healthcare worker. A healthcare worker looks at the medical record of a patient without any medical reason to do so.
- 125: Breach of computer system theft, loss of electronic device/ medical records. Example: A hospital laptop is stolen from an employee’s personal car.
- 21: Malicious breach by person other than a healthcare worker. Example: Someone visiting the hospital sees a medical file on a desk and decides to pick it up and start reading.