Search the KHIT Blog

Thursday, January 17, 2013

HIPAA Omnibus Final Rule FINALLY released

563 page PDF here.
Costs and benefits
This final rule is anticipated to have an annual effect on the economy of $100 million or more, making it an economically significant rule under Executive Order 12866. Accordingly, we have prepared a Regulatory Impact Analysis that presents the estimated costs and benefits of the proposed rule. The total cost of compliance with the rule’s provisions is estimated to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million annually thereafter. Costs associated with the rule include: (i) costs to HIPAA covered entities of revising and distributing new notices of privacy practices to inform individuals of their rights and how their information is protected; (ii) costs to covered entities related to compliance with breach notification requirements; (iii) costs to a portion of business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to a portion of business associates to achieve full compliance with the Security Rule.
...We are not able to quantify the benefits of the rule due to lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity, which we believe will be enhanced by the strengthened privacy and security protections, expanded individual rights, and improved enforcement enabled by the rule. We also believe that some entities affected by the rule will realize cost savings as a result of provisions that simplify and streamline certain requirements, and increase flexibility, under the HIPAA Rules. However, we are unable to quantify such cost savings due to a lack of data...

I had to split it up into two 1" comb binders. And, off we go...
ii. Summary of Major Provisions

 This omnibus final rule is comprised of the following four final rules:

1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  • Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009

Revised NPPs (Notice of Privacy Practices), ~$90 per CE, cost of BAAs and Security Rule BA compliance, hard to say. Nominal average about $345, but (just as with CEs, really), it's a lumpy distribution.

...The director for the Office of Civil Rights at HHS, Leon Rodriguez, called the rule changes "the most sweeping changes (to the HIPAA Privacy and Security rules) since they were first implemented," and given that the rule changes cover fully 563 pages, it's a safe bet that Rodriguez may not be indulging in hyperbole in this. The official publication of the new rule is set to hit January 25, with an effective date of March 26, and a compliance date of September 21, likely to provide time enough to make the necessary system changes to accommodate the rules.
Given that the original HIPAA passed 15 years ago, it's safe to say that some changes were likely necessary. 15 years ago, after all, the Internet was only just getting started in a lot of places, and many were still working with dial-up Internet access, so the landscape has certainly changed to a degree that requires some modification of rules. But at the same time, it's not hard to look at this novel of rule changes--563 pages would take several days just to read--and think that maybe we're going a little overboard. The pressures on the healthcare sector are already massive, and some reports indicate that physicians are actually looking to get out of the medical industry altogether due to increasing quantities of red tape, so maybe the whole thing is going a bit far...
The final rule adopts the proposal to amend § 164.508(b)(3)(i) and (iii) to allow a
covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities. We intend this provision to allow for the use of compound authorizations for any type of research activities, and not solely to clinical trials and biospecimen banking, except to the extent the research involves the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes. See § 164.508(b)(3)(ii).
Why might the foregoing be of interest?

Ask her parents.

The word "psychotherapy" appears 17 times* throughout the FR. Still assimilating the import.

The point, should you not get it, goes to whether Sandy Hook could have been prevented. Do HIPAA and 42 CFR 2 et al and equivalent (and HIPAA-superceding) state laws and regs put lives materially at risk?

Tough one.

* UPDATE: the word "breach" appears 437 times, the phrase "breach notification" 143 times. The phrase "risk assessment is found 51 times, and the phrase "policies and procedures" 35 times. Also,
  • "compliance," 297 hits;
  • "violation(s)," 291 hits;
  • "penalty," 140 hits;
  • "penalties," 47 hits;
  • "enforcement," 110 hits.
and so on. Like I said, I like to initially zero in on keywords and phrases ("cut to the chase") and review the immediate context surrounding each find. You find that a lot of the verbiage simply goes to comments and responses, followed in each subsection by the setting forth of the "Final rule" for each point of regulation. The comments and responses are certainly interesting, but the rulings are what count as priorities.

Here's an interesting little snippet:
As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate.  In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of protected health information through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate. We intend to issue further guidance in this area as electronic health information exchange continues to evolve.

That latter characterization certainly describes my HealtHIE Nevada HIE. Be interesting to see what comprises "further guidance" down the line.

We are a health information organization that brings together health care stakeholders within a defined geographic area and governs health information exchanges among them for the purpose of improving health and care in the community.

Our vision is to provide secure electronic health information to health care providers to have ready, seamless access to patient health information to support clinical decisions and care coordination for the residents of the Upper Peninsula.
Nice. "The Yoo-Pee" holds a special place in my heart.

apropos of HIE, HRBA

Ran into this organization today (Monday, the 21st, reporting from Walnut Creek), cited in my LinkedIn HIMSS Group:

By providing a safe, secure location to automatically store all your health records, Health Record Banks are community organizations that put you in charge of all your personal, private health information. 
Why are They Needed?Today, whenever you seek care, a record is left behind. Until now, there hasn't been a secure, unified location to store these records so that they can all be used to help guide your care. 
How Do Health Record Banks Work?When you seek care, you give permission for your healthcare professional to access some or all of your up-to-date health records via a secure connection. When care is complete, the new records from that visit are securely deposited—and made available for the future...
Well, yeah, we would hope. More to research on this outfit, courtesy of See
Has HIE become “an unmitigated disaster”? 
The current work being done to facilitate health information exchange among healthcare organizations and providers is an “unmitigated disaster” falling short of supporting healthcare reform, according the President of the Health Record Banking Alliance (HRBA). “The current approach to HIEs does not and will not work. If we want to succeed, we must try something else,” writes HRBA President William Yasnoff, MD, PhD, in a recent contribution to NHINWatch...

Well, I've read the HRBA "White Papers," and have some concerns regarding the dearth of detail therein. Also, reading the word "bank" in relation to health information gives me pause. Maybe it was my subprime risk management experience.

I also have to take issue with the HIE "unmitigated disaster" allusion. Maybe some HIEs are, but I don't think that that's broadly the case.


Mostashari: ONC is more than meaningful use, health IT cheerleader 
Author Name Kyle Murphy, PhD   |   Date January 22, 2013 
The head of the Office of the National Coordinator for Health Information Technology (ONC), Farzad Mostashari, MD, ScM, has respondent a recent news story that characterized the federal agency as primarily a cheerleader for health IT...
Interesting. Original article here.
EHR Vendors Join Chorus Against Federal Deadlines 
Neil Versel 
Now even some vendors of electronic health records (EHRs) are starting to wonder whether the Meaningful Use incentive program is moving too fast. 
The HIMSS EHR Association (EHRA), a group of 40 vendors convened by the Healthcare Information and Management Systems Society (HIMSS), last week asked the U.S. Department of Health and Human Services (HHS) to delay the start of Meaningful Use Stage 3 until three years after a participating provider reaches Stage 2 -- no earlier than 2017. HHS pushed the start of Stage 2 back a year in response to industry-wide concern about the short timetable 
In comments submitted to HHS about Stage 3, the software developers also called on federal officials to shift the focus to interoperability of healthcare information rather than ask providers and their vendors to add capabilities to their EHR systems...
More to come...

1 comment:

  1. This is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on guild wars 2 leveling, swtor credits, aion kinah your articles, I guess I am not the only one having all the leisure here! Keep up the good work.