Search the KHIT Blog

Tuesday, September 4, 2012

45 CFR 164.308 and HIT vendors

ARRA/HITECH Sec. 13401. Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions.

(a) Application of Security Provisions.—Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) Application Of Civil And Criminal Penalties.—In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

(c) Annual Guidance.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, after consultation with stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of this Act, as such provisions are in effect as of the date before the enactment of this Act.

§160.103 Definitions

Business Associate:
(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.
HIPAA §164.308 Administrative safeguards.
(a) A covered entity must, in accordance with §164.306:

(1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

(3) (i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information...
HIPAA / Meaningful Use security compliance, it's not just for EPs and EHs any more.

I've been reviewing the text of the HIPAA/HITECH Omnibus Rule, frustrated that some federal entity has reeled it back in from final release after it had been sent to OMB. As noted on (it may be firewalled; I am a subscriber):

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.   

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications...
 "After Election Day?" Why should I be surprised? They're all afraid of the potential re-election blowback, I guess.

Whatever. HITECH Sec 13401 et seq are pretty clear. Vendors are in fact BAs to CEs (given that they necessarily routinely have access to CEs' PHI), and, as such, are bound by the Security Rule and everything it entails of relevance. I was assisting a clinic this morning with some MU Core Measures items, and watched as the O.M. got Support on the phone and gave him VPN entry into their server.

I intend to press the point. It's not a popularity contest for me. It's really no "contest."

August 5th quickie a.m. update


Really nice HITRC Privacy and; Security CoP presentation yesterday by Sharon Bari of NYeC.

Very nicely done. Issues having to do with 42 CFR 2. Difficult area.

Latest Round Of Health IT Regs Will Be Topic Of Capitol Hill Hearing
CQ HealthBeat: Next Stage Of Meaningful Use Regulations Drawing Hill Scrutiny. Consumer advocates are giving good marks to the latest round of federal rules designed to spur the use of information technology to improve the quality and efficiency of health care. Hospitals and vendors? Not so much — but each for different reasons. For their part, lawmakers haven't had much so to say so far, but at least one House committee may hold a hearing later this month to review the rulemaking program, which aims to promote the "meaningful use" of health IT by paying providers who employ the technology higher Medicare and Medicaid payments and paying less to providers who don’t (Reichard, 9/4).
The full article is firewalled at CQ HealthBeat.

A sales rep told me their subscriptions start at $2,500. No sale, bro'. That's public information, basically. I'll find it (I already emailed my Congressman).


I got a phone call today from Ryan McBride, one of my Congressman's aides (Dr. Joe Heck, R-NV). We had a great chat. Ryan gave me his email address, and promised to keep me in the loop should a hearing be scheduled.

I offered to come to DC on my own dime and testify at such a hearing, from a front-line HIT/Meaningful Use grunt POV.


September 4, 2012

Marilyn B. Tavenner 

Centers for Medicare & Medicaid Services 
Acting Administrator 
U.S. Department of Health and Human Services 
Hubert H. Humphrey Building,
Room 445-G 200 Independence Ave SW
Washington, DC 20201

RE: Medicare Program; Payment Policies under the Physician Fee Schedule and Other Revisions to Part B for CY 2013

Dear Administrator Tavenner:
...CMS anticipates, barring changes to current law, an approximate 27 percent cut in physician payment rates for 2013 under the sustainable growth rate (SGR) methodology. The 27 percent rate cut is based on a March 2012 analysis from CMS. This massive cut will have catastrophic consequences on medical group practices and the patients they serve. Although Congress has repeatedly taken action to override most of the SGR’s prescribed fee schedule reductions, these temporary “fixes” have increased both the size of future cuts and the cost of repealing the flawed payment system. As a consequence, the frequent need to override increasingly steeper cuts is undermining confidence in the Medicare program and jeopardizing the financial stability of medical practices. The current environment is forcing group practices to make operational changes that severely challenge their ability to provide quality care to Medicare beneficiaries...
  • MGMA urges CMS to use its regulatory authority to deem all physicians that meet meaningful use requirements (and therefore electronically prescribe and report clinical quality measures under that program) as also successfully meeting all e-prescribing and PQRS requirements in each corresponding performance year. Eligible professionals (EPs) that successfully meet the meaningful use requirements should automatically earn the bonus for PQRS and avoid penalties for both e- prescribing and PQRS.
  • MGMA objects to imposing financial penalties on physician practices for unsuccessfully participating in incentive or quality reporting programs, such as e-prescribing, PQRS and the value- based payment modifier. If penalties must exist, the government should only apply them after taking into account performance during the relevant year, rather than previous years...
Sixteen pages of articulate detail. Some of it is pretty arcane even to me, but, yes, there's too much going on all at once. Add in all of CMS 5010, PQRS, Stage 2, ICD-10, the gamut of CMS QIO initiatives, well. we run the risk of burning clinicians out.

ONC CERTIFIED EHRs, as of Sept 5th 2012

We extracted all 2011-2012 EHR Certs to date from the CHPL site (they don't make it easy) and whacked on them in Excel briefly (.xls). There are 5 tabs, a couple of them simple pivot tables summarizing Cert product counts by vendor (modular and complete aggregated by Outpt/Inpt for now -- and, Cerner is far and away the Big Dog here, both ambulatory and inpatient).

Had we a SAS account we'd have ground this stuff up 16 ways to Sunday by now. We gotta get up to speed on the "R Language".

So, let's see 1,295 complete outpatient systems alone to date, times the average Cert fee:

~$44.4 million.


$6.6 billion thus far.

In others words, 10x the entire 4-year REC funding potential. I have to think we've added value.



Best Care at Lower Cost: The Path to Continuously Learning Health Care in America

381 pages of more light bedtime reading. I mounted a copy here (5 mb), and annotated it with PDF "yellow highlighter" first-pass markups on a number of keywords/phrases, e.g.,
  • Electronic medical record(s)
  • Electronic health record(s)
  • Meaningful use
  • Health information exchange(s)
  • Workflow(s)
  • Affordable Care Act
  • Six Sigma
  • Lean
  • PDSA
  • Regional extension center(s) -- no hits, sadly
Just getting started in review.


Cute logo. They hooked up with me via Twitter. Not sure exactly what they do.


Federal Privacy Officer Offers Insights

Article and mp3 Interview (10:28) with ONC's Joy Pritts.
I emailed her regarding the Security Rule 164.308 concerns I expressed at the outset of this post. Be very interested in her response. She is, after all, an attorney.

“Established technology is being given a federally funded new lease on life. Traditional health software now is on Medicare, being kept alive like grandma.” [It's a] cash for clunkers program for health IT."

“I know of no industry where technology is as despised as it is in health care. It’s a statement that it took government money to incentivize healthcare providers to finally do what virtually every other industry has done .”
- AthenaHealth CEO Jonathan Bush


And, in other Nevada HIT news regarding how this stuff is actually beginning to get done:
HealtHIE Nevada Provides eHGT's eHealth Image Exchange Capability to Community-Based Health Information Exchange Users
Steinberg Diagnostic leads, reducing costly duplicate exams and unnecessary radiation exposure for patients

(Sept 8th)

Yeah, but, I'm a newbie "Tweep" myself, only been actively doing it a couple of months as well. These Things Take Time.


More to come...

No comments:

Post a Comment