Become a Member

Privacy, Security and Data Exchange Committee

Forthcoming Privacy and Security Changes under ARRA

The American Recovery and Reinvestment Act (ARRA) of 2009 (also known as the Stimulus Act) mandates several changes to health information privacy and security, both for HIPAA covered entities and for some non-covered entities such as personal health record vendors who are/will be partners in health care. Many of these changes require further definition and clarification, and will be forthcoming as rules and guidance scheduled for issue over the next several years. These rules and regulations will help equalize the privacy and security requirements for both covered and non-covered entities, and provide greater specificity on a variety of HIPAA privacy and security terms and provisions to assure more uniform protections across entities.  The recently released breach notification rules were the first of more than 12 additional rules and regulations required under ARRA. Topics that will be clarified and further addressed include the enforcement process and penalties, de-identification, minimum necessary, appropriate security safeguards, and accounting of disclosures

The regulations and guidance to be issued are listed, along with the date due, in the table below. The table comes from the Office of the National Coordinator for Health Information Technology’s (ONC) ARRA Health Information Technology (HIT) Plan, available at:
http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf

Links for regulations already released:

Establishment of the Permanent Certification Program for Health Information Technology (HIT), from ONC/HHS, is the final rule that sets up a permanent program to authorize organizations to test and certify EHRs and EHR modules to verify conformance to federal requirements for "certified EHR technology". The rule describes the application process and requirements for certifying bodies, and establishes long term accreditation requirements for those bodies. ONC site: http://healthit.hhs.gov/portal/server.pt? open=512&objID=2884&parentname=CommunityPage&parentid=357&mode=2&in_hi_useri d=12059&cached=true; the rule http://edocket.access.gpo.gov/2011/pdf/2010-33174.pdf.

HIPAA Privacy Rule Accounting of Disclosures Under HITECH, from OCR, revises some aspects of and provides greater specificity for the HIPAA disclosure accounting provisions. The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a personís rights or interests, including those for treatment, payment, and health care operations. The rule also allows an individual to request an access report, which draws from system audit logs and documents anyone who electronically accessed and viewed their PHI. http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf

  • The HIPAA Breach Notification Interim Final Rule, from OCR/HHS, applies to HIPAA covered entities:
    http://www.hhs.gov/ocr/privacy/hipaa/understanding / coveredentities / breachnotificationifr.html.
  • The Health Breach Notification Rule, from the FTC, applies to non-HIPAA covered entities such as vendors of personal health records (PHRs): http://www.ftc.gov/healthbreach/.
  • The HITECH Act Enforcement Interim Final Rule strengthens HIPAA enforcement and establishes specific categories of violations with escalating penalties based on increasing levels of culpability. OCR enforcement site: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html; the Rule is at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.
  • The Medicare and Medicaid Programs Electronic Health Record Incentive Program, from CMS, is a proposed rule outlining the requirements for a funding program to assist Medicare and Medicare eligible providers to purchase and implement EHR technologies. This rule also includes the criteria and measures for meaningful use. http://edocket.access.gpo.gov/2010/E9-31217.htm
  • The Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, from ONC/HHS, is an interim final rule establishing the first set of standards, certification criteria, and technology capabilities required of an EHR that qualifies it as meeting the meaningful use criteria. Providers applying for the EHR Incentive Program must purchase and implement EHR technologies that incorporate and meet these standards and criteria. http://edocket.access.gpo.gov/2010/E9-31216.htm
  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act, from ONC/HHS, is a proposed rule implements changes to HIPAA privacy and security established in the Health Information Technology for Economic and Clinical Health Act (HITECH) of ARRA. Changes include extension of direct applicability of the rules to business associates, increases in enforcement penalties, prohibit sales of PHI, and includes certain changes to patient access to PHI. http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf

It will be extremely important for public health and other public sector health programs to read and comment on these rules and regulations to ensure that public health needs are taken into account,as many of these topics directly impact public sector health programs. Comment timeframes will be short (60 days). The Privacy, Security and Data Exchange (PSDE) Committee plans to set up calls to discuss these rules as they are released to identify any concerns to the public health and our member community that should be sent forward as comments. Interested parties should sign up for the PSDE listserv to be notified of these calls.

Timeline

In the table below, the rows highlighted denote items that have already been published or released.

DESCRIPTION

DATE(S)

PURPOSE

RESPONSIBLE AGENCY

For breach notification purposes, issue guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals

April 18, 2009; annual updates

Required guidance under Section 13402

ONC in collaboration with
OCR and CMS

Issue interim final regulations to implement breach notification for HIPAA covered entities and business associates

April 18, 2009

Issue regulation under Section 13402

OCR and FTC

Issue regulations to define Meaningful Use

December, 31,2009

Additional dates for major phases may be forthcoming.

Issue criteria and regulation under §4102

CMS in collaboration with ONC

Issue regulations to modify the HIPAA Enforcement Rule to implement revised penalty structure

February 18, 2010

Issue regulation under Section 13410

OCR in collaboration with CMS

Issue regulations to extend certain HIPAA Security Rule provisions to business associates

February 18, 2010

Issue regulation under Section 13401

CMS

Issue guidance on technical safeguards to carry out security

February 18, 2010; annual updates

Required guidance under Section 13401

CMS in collaboration with ONC

Report to Congress on breaches for which notice was provided to the Secretary

February 18, 2010; and annually thereafter

Issue report to Congress under Section 13402

OCR

Issue regulations to extend certain HIPAA Privacy Rule provisions to business associates

February 18, 2010

Issue regulation under Section 13404

OCR

Issue regulations to modify the HIPAA Privacy Rule’s provisions regarding right to request restrictions, minimum necessary, access

February 18, 2010

Issue regulation under Section 13405

OCR

Issue regulations to modify the HIPAA Privacy Rule’s provisions regarding marketing and fundraising

February 18, 2010

Issue regulation under Section 13406

OCR

Issue regulations to clarify that certain entities are HIPAA business associates

February 18, 2010

Issue regulation under Section 13408

OCR

Report to Congress on HIPAA Privacy and Security Compliance

February 18, 2010 and annually thereafter

Issue report to Congress under Section 13424

OCR and CMS

Study and report to Congress on privacy and security requirements for entities that are not HIPAA covered entities or business associates

February 18, 2010

Issue report to Congress under Section 13424

ONC in collaboration with OCR, CMS, and FTC

Issue guidance on the HIPAA Privacy Rule’s requirements for de-identification

February 18, 2010

Issue guidance as required under Section 13424

OCR in collaboration with ONC

Study the HIPAA Privacy Rule’s definition of “psychotherapy notes” with regard to including certain test data and mental health evaluations

February 18, 2010

Issue guidance as required under Section 13424

OCR in collaboration with SAMHSA

Issue regulations to modify the HIPAA Privacy Rule’s accounting of disclosures provisions

June 18, 2010

Issue regulation under Section 13405

OCR

Issue guidance on what constitutes “minimum necessary” for purposes of the HIPAA Privacy Rule

August 18, 2010

Issue guidance as required under Section 13405

OCR

Issue regulations to modify the HIPAA Enforcement Rule to implement willful neglect provisions

August 18, 2010

Issue regulation under Section 13410

OCR in collaboration
with CMS

Issue regulations to modify the HIPAA Privacy Rule to generally prohibit exchanging health information for remuneration without individual authorization

August 18, 2010

Issue regulation under Section 13405

OCR

Issue regulations to modify the HIPAA Enforcement Rule to implement willful neglect provisions for sharing civil money penalties or settlements with harmed individuals

February 18, 2012

Issue regulation under Section 13410

OCR in collaboration
with CMS