Article | Table

Forthcoming Privacy and Security Changes under ARRA

The American Recovery and Reinvestment Act (ARRA) of 2009 (also known as the Stimulus Act) mandates several changes to health information privacy and security, both for HIPAA covered entities and for some non-covered entities such as personal health record vendors who are/will be partners in health care. Many of these changes require further definition and clarification, and will be forthcoming as rules and guidance scheduled for issue over the next several years. These rules and regulations will help equalize the privacy and security requirements for both covered and non-covered entities, and provide greater specificity on a variety of HIPAA privacy and security terms and provisions to assure more uniform protections across entities.  The recently released breach notification rules were the first of more than 12 additional rules and regulations required under ARRA. Topics that will be clarified and further addressed include the enforcement process and penalties, de-identification, minimum necessary, appropriate security safeguards, and accounting of disclosures

The regulations and guidance to be issued are listed, along with the date due, in the table below. The table comes from the Office of the National Coordinator for Health Information Technology’s (ONC) ARRA Health Information Technology (HIT) Plan, available at:
http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf

Links for regulations already released:

Establishment of the Permanent Certification Program for Health Information Technology (HIT), from ONC/HHS, is the final rule that sets up a permanent program to authorize organizations to test and certify EHRs and EHR modules to verify conformance to federal requirements for "certified EHR technology". The rule describes the application process and requirements for certifying bodies, and establishes long term accreditation requirements for those bodies. ONC site: http://healthit.hhs.gov/portal/server.pt? open=512&objID=2884&parentname=CommunityPage&parentid=357&mode=2&in_hi_useri d=12059&cached=true; the rule http://edocket.access.gpo.gov/2011/pdf/2010-33174.pdf.

HIPAA Privacy Rule Accounting of Disclosures Under HITECH, from OCR, revises some aspects of and provides greater specificity for the HIPAA disclosure accounting provisions. The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests, including those for treatment, payment, and health care operations. The rule also allows an individual to request an access report, which draws from system audit logs and documents anyone who electronically accessed and viewed their PHI. http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf

• The HIPAA Breach Notification Interim Final Rule, from OCR/HHS, applies to HIPAA covered entities:
  http://www.hhs.gov/ocr/privacy/hipaa/understanding / coveredentities / breachnotificationifr.html.
• The Health Breach Notification Rule, from the FTC, applies to non-HIPAA covered entities such as vendors of personal health records (PHRs): http://www.ftc.gov/healthbreach/.
• The HITECH Act Enforcement Interim Final Rule strengthens HIPAA enforcement and establishes specific categories of violations with escalating penalties based on increasing levels of culpability. OCR enforcement site: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html; the Rule is at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.
• The Medicare and Medicaid Programs Electronic Health Record Incentive Program, from CMS, is a proposed rule outlining the requirements for a funding program to assist Medicare and Medicare eligible providers to purchase and implement EHR technologies. This rule also includes the criteria and measures for meaningful use. http://edocket.access.gpo.gov/2010/E9-31217.htm
• The Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, from ONC/HHS, is an interim final rule establishing the first set of standards, certification criteria, and technology capabilities required of an EHR that qualifies it as meeting the meaningful use criteria. Providers applying for the EHR Incentive Program must purchase and implement EHR technologies that incorporate and meet these standards and criteria. http://edocket.access.gpo.gov/2010/E9-31216.htm
• Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act, from ONC/HHS, is a proposed rule implements changes to HIPAA privacy and security established in the Health Information Technology for Economic and Clinical Health Act (HITECH) of ARRA. Changes include extension of direct applicability of the rules to business associates, increases in enforcement penalties, prohibit sales of PHI, and includes certain changes to patient access to PHI. http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf

It will be extremely important for public health and other public sector health programs to read and comment on these rules and regulations to ensure that public health needs are taken into account,as many of these topics directly impact public sector health programs. Comment timeframes will be short (60 days). The Privacy, Security and Data Exchange (PSDE) Committee plans to set up calls to discuss these rules as they are released to identify any concerns to the public health and our member community that should be sent forward as comments. Interested parties should sign up for the PSDE listserv to be notified of these calls.

Timeline

In the table below, the rows highlighted denote items that have already been published or released.