The Office of the National Coordinator for Health IT (ONC) on June 24 published a final rule for EHR certification as part of the meaningful use incentive plan. This became effective immediately. This was first published as an interim final rule in January 2010.

Organizations that have an interest in becoming Authorized Testing and Certification Bodies (ONC-ATCBs) can submit applications as of July 1, 2010. It is a multi-step process and if they are approved then they can test and certify EHR products on criteria specific to the meaningful use program. The Certification Commission for Health Information Technology (CCHIT) has applied to become an authorized certification body.

Who will provide the test methods for the program? The National Institute of Standards and Technology (NIST) will provide test methods for the program.

Vendors may submit complete systems or individual modules for certification.

Why is this Temporary EHR Certification Program relevant? This is because provider organizations (e.g. hospitals) must use technology that has been certified by the ONC-ATCB.

The ONC published the final rule on standards and certification criteria on July 28, 2010. This supports meaningful use program and becomes effective on August 27, 2010.

Where can you get more information on all certified products and ONC-ATCBs? The ONC will maintain a list of ONC-ATCBs and certified products at the website, http://healthit.hhs.gov. The Temporary EHR Certification Program is expected to sunset in 2012 and will be replaced by the permanent program at that time.  Products certified under the temporary program will maintain their certification under the permanent program.

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to certain terminology.

Disclosure
Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.

Electronic Media
Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;

Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet or intranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial- up lines, private networks, and the physical movement of removable/transportable electronic storage media.

Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form before the transmission.

Protected Health Information (PHI)
Protected Health Information (PHI) excludes Individually Identifiable Health Information (IIHI):

• In education records covered by the Family Educational Rights and Privacy Act
• In employment records held by a covered entity in its role as employer
• Regarding a person who has been deceased for more than 50 years

Workforce
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to a few areas public health disclosure and fundraising requirements.

Public Health Disclosures
The proposed rule would create a new public health provision to permit disclosure of proof of a child’s immunization by a covered entity to a school in States that have school entry or similar laws. This proposed change would allow a covered health care provider to release proof of immunization to a school without having to obtain a written authorization, provided the provider obtained the agreement (oral or otherwise) to the disclosure from either the parent or guardian, or the individual, if the individual is an adult or emancipated minor. It is expected the burden would be reduced on covered entities and parents in obtaining and providing written authorizations.

Since the proposed rule would require the covered entity and the responsible party for the student to agree that the covered entity may release proof of immunization, some covered entities may request the agreement in writing.

Fundraising Requirements
The proposed rule would require that any fundraising communication sent to an individual must provide the recipient with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications. If an individual elects to opt out, the fundraising entity must not send the individual additional fundraising communications. This proposed change will require fundraisers to clearly and conspicuously provide the recipient an opt-out choice from receiving future communication and to treat such a choice as a revocation of authorization. This will result in fewer unwanted fundraising communications.

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to a few areas related to use and disclosure of information related to decedents’ PHI.

Uses and Disclosures of Decedents’ PHI
The proposed rule would modify the current rule to limit the period for which a covered entity must protect an individual’s health information to 50 years after the individual’s death. This will reduce the burden on both covered entities and on those seeking the PHI of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons.

Uses and Disclosures for Care and Notification Purposes
The proposed rule would permit covered entities to disclose a decedent’s PHI to family members, or other persons involved in the individual’s care or payment for care before the individual’s death, unless doing so would be inconsistent with any prior expressed preference of the individual that is known to the covered entity. The rights of the decedent’s personal representative to have access to the PHI of the decedent would remain unchanged. This would reduce the burden by permitting covered entities to continue to disclose PHI to family members and other persons who were involved in an individual’s care while the individual was alive after the death of the individual without needing to obtain authorization from the decedent’s personal representative, who may not be known or even exist.

Public Health Disclosures
The proposed rule would create a new public health provision to permit disclosure of proof of a child’s immunization by a covered entity to a school in States that have school entry or similar laws. This proposed change would allow a covered health care provider to release proof of immunization to a school without having to obtain a written authorization, provided the provider obtained the agreement (oral or otherwise) to the disclosure from either the parent or guardian, or the individual, if the individual is an adult or emancipated minor. It is expected the burden would be reduced on covered entities and parents in obtaining and providing written authorizations.

Since the proposed rule would require the covered entity and the responsible party for the student to agree that the covered entity may release proof of immunization, some covered entities may request the agreement in writing.

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes proposed changes in the area of authorization and other requirements for disclosures related to marketing and sale of PHI.

Health care Operations & Marketing
The proposed rule modifies the definition of ‘‘marketing,’’ such that some communications to individuals about health-related products or services that are made under health care operations would now be considered marketing communications if the covered entity receives financial remuneration by a third party to make the communication. For marketing communications, individual authorization is required.

Treatment Communication
The proposal would require that a health care provider that receives financial remuneration by a third party in exchange for sending a treatment communication to an individual about the third party’s product or service must disclose the fact of remuneration in the communication and provide the individual with a clear and conspicuous opportunity to opt out of receiving future subsidized communications.

Selling PHI
In addition, the proposed rule would require an individual authorization before a covered entity could disclose PHI in exchange for remuneration (i.e., ‘‘sell’’ PHI).

Compound Disclosures
The proposed rule would permit compound authorizations for research purposes as long as it is clear to individuals that they do not have to agree to both the conditioned and unconditioned components of an authorization in order to receive research-related treatment. It is believed that the proposed provision would reduce burden on the research community by eliminating the need for multiple forms for research studies involving both a clinical trial and a related research repository or study.

Under the proposed HITECH NPRM, if a covered entity maintains PHI electronically and the recipient requests copies of their PHI in an electronic format, the covered entity must provide the information in the electronic format requested by the individual if readily producible in that format, or, if not, in a different electronic format agreed to by the covered entity and the individual.

Costs for Electronic Requests of PHI
If the covered entity provides an individual with electronic access to PHI, the proposed rule would only allow the covered entity to charge the costs of labor associated with the preparation of the request.

The proposed rule clarifies the labor and supply costs applicable to preparation of electronic requests vs. paper requests. Labor costs to produce an electronic copy involve the cost of reviewing and preparing the copy. Supplies for an electronic copy apply only to the cost of the media, if applicable, for providing the information to the individual. If the individual provides the media (e.g., a CD or flash drive), there would be no cost for the media. Similarly, if the information is transmitted via e-mail or some other electronic mode, there would be no charge for media.

Format & Delivery
Both the current and proposed rules continue to permit the covered entity and individual to negotiate over the format and delivery of PHI. By emphasizing the provision of PHI electronically, the proposed rule may lower costs because postage costs are eliminated or reduced and labor and supply costs are significantly reduced. Thus, there may be some savings that result from the greater use of EPHI.

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes information about changes in the area of Patient Access to Electronic Health Record (EHR) and Patient Right to Restrict Disclosures. In the area of Patient Right to Restrict Disclosures – it requires the covered entity to agree to a restriction on disclosure to a health plan if:

1. The disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and
2. The Protected Health Information (PHI) pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full.

This NPRM also clarifies that if a restriction is placed on a disclosure to a health plan, the covered entity is also prohibited from making such a disclosure to a business associate of the health plan.

The HITECH Act gives individuals the right to receive an electronic copy of their PHI, if it is maintained in an EHR, for which the provider may charge a fee.

Covered entities should review their policy and processes related to Patient Access and Disclosure Restrictions and consider the requirements in the HITECH Act and forthcoming changes as a result of the NPRM.

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 (45 C.F.R. §§ 164.302 – 318.). The HIPAA Security Rule clearly mandates:

Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail.

All EPHI created, received, maintained or transmitted by an organization is subject to the Security Rule.A partial list of areas that organizations need to review includes:

• Have you identified the EPHI within your organization? This includes EPHI that you create, receive, maintain or transmit.
• What are the external sources of EPHI? For example, do vendors or consultants
• create, receive, maintain or transmit EPHI?
• What are the human, natural, and environmental threats to information systems
• that contain EPHI?

The Process
An organization must identify where the EPHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on EPHI gathered using these methods must be documented.

The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. Risk analysis is the first step in that process.

More Information
For more information on the annual final guidance document published by OCR, check out:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

What is the HIPAA Enforcement Rule? The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to cooperation in the enforcement process. It also provides rules governing the investigation by HHS of compliance by covered entities, both through the investigation of complaints and the conduct of compliance reviews.

The Enforcement Rule establishes rules governing the process and grounds for establishing the amount of a civil money penalty where HHS has determined a covered entity has violated a requirement of a HIPAA Rule. The Enforcement Rule establishes rules governing the procedures for hearings and appeals where the covered entity challenges a violation determination.

The HITECH Act provides, for purposes of enforcement, for the transfer to the HHS Office for Civil Rights (OCR) of any civil money penalty or monetary settlement collected under the HIPAA Privacy and Security Rules and also requires HHS to establish by regulation a methodology for distributing to harmed individuals a percentage of the civil money penalties and monetary settlements collected under the Privacy and Security Rules.

Effective as of February 18, 2009, the HITECH Act also modified the civil money penalty structure for violations of the HIPAA Rules by implementing a tiered increase in the amount of penalties based on culpability. The tiered and increased civil money penalty provisions of the HITECH Act were effective for violations occurring after the date of enactment.

Further, the HITECH Act granted State Attorneys General the authority to enforce the HIPAA Rules by bringing civil action (Connecticut being the first example of such HIPAA enforcement).

The recent modifications to the HITECH Act include updates in the area of Business Associates. As a result of the HITECH modifications, Business Associates, also include:

• Patient Safety Organizations (PSO)
• Health Information Organizations (HIO), E–Prescribing Gateways, and Other Persons That Facilitate Data Transmission
• Sub-contractors

The HITECH Act updates state that Patient Safety Organizations (PSOs) must be treated as business associates when applying the HIPAA Privacy Rule. Patient safety activities have been added to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.

The modification to the HITECH Act further provides that an organization, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, that provides data transmission of PHI to a covered entity (or its business associate) and that requires access on a routine basis to such PHI must be treated as a business associate. Also, a vendor that contracts with a covered entity to allow the covered entity to offer a PHR to patients as part of the covered entity’s Electronic Health Record (EHR) shall be treated as a business associate. The HITECH Act requires that such organizations and vendors enter into a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.

Subcontractors of a covered entity – i.e. those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to PHI. A subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.

So take a closer look at who are your business associates? Update your Business Associate Agreements (BAA) to ensure it meets the requirements of the HIPAA Privacy, Security Rules and the HITECH Act – and don’t forget to review State regulatory requirements as well as that may impact some areas in the Agreement – such as breach notification period.