The waiting game continues for providers and vendors alike who are wondering how to comply with data breach laws, among the other changes to Health Insurance Portability and Accountability Act (HIPAA) security and privacy laws governing personal health information.
Attendees at last week's three-day Eighteenth National HIPAA Summit heard from policymakers, privacy experts and medical professionals, but they didn’t hear the one thing everyone is waiting for –- the date when the final rules and guidance for federal data breach notification provisions in the American Recovery and Reinvestment Act of 2009 (ARRA) will be released.
Under the Health Information Technology and Economic Clinical Health (HITECH) Act within ARRA, interim final rules announced by the Department of Health & Human Services (HHS) and the Federal Trade Commission (FTC) last summer outlined how covered entities, such as providers and payers, and their business associates, such as third-party vendors, will be required to notify patients in a timely manner about data breaches. Some of the privacy and security provisions, which are new for HIPAA, go into effect this month, but the promised final drafts of the data breach laws were not announced during the summit, as some had hoped. Typically, interim final rules are followed by final rules after a two-month comment period.
David Blumenthal, a physician who heads the Office of the National Coordinator for Health Information Technology, spoke broadly about health IT and the HITECH Act as a framework for implementing the meaningful use of IT. He noted that while adoption of health IT continues to lag, more physicians are using electronic health records (EHR). “It may be we’re starting to see the up-slope,” he said.
Data breach ‘harm threshold’ at issue
Still, many are looking for specifics about the HIPAA security and privacy components of the HITECH Act framework. There are two major sticking points for stakeholders, according to several summit presenters: the lack of clarity in the new provisions regarding business associate agreements, and uncertainty about whether covered entities and their business associates are allowed to determine a harm threshold before they notify patients about data breaches.
The HHS established the harm threshold in its interim rule by writing that providers must notify patients of a data breach if they have determined that the breach has resulted in material harm. The FTC did not create a harm threshold in its companion rule. Members of Congress voiced their concern over the threshold, saying they did not intend to create such a step when the stimulus law was written. In a letter to HHS, several members of Congress asked HHS to remove the harm threshold before producing the final version of the data breach law.
“It may be we’re starting to see the up-slope [in EHR adoption].”
David Blumenthal, National Coordinator for Health Information Technology
Providers and others and the industry welcome the harm threshold, however, and are urging the federal health department to keep it part of the final privacy law, said James Wieland, principal and chair of the health IT practice at Ober, Kaler, Grimes & Shriver, in Baltimore, during a summit presentation. “I fervently hope that it does,” he said. It will make the notices that do get sent mean something, he added, provided that “we don’t turn them into junk mail.”
A November report by the Health Information and Management Systems Society’s (HIMSS) analytics organization, entitled “Evaluating HITECH’s Impact on Healthcare Privacy and Security,” found that hospitals are experiencing more breaches in data security. Not all of those breaches amount to any harm to patients, Wieland said. For example, it might not be a security breach if there is a statement that includes a patient’s name along with the name of the hospital at which services were rendered, but not the specific nature of the services.
New HIPAA security mandates cover business associates
In addition to the harm threshold, stakeholders must pay closer attention to the interactions among covered entities and business associates for compliance with data breach notification rules. Previously, business associates were not regulated under HIPAA security provisions, but the interim final rule changed that. Now business associates need to comply with security provisions as if they were covered entities.
But the language under the HITECH Act -- that privacy and security provisions “shall be incorporated” into agreements between covered entities and business associates -- has left organizations wondering if they have to rewrite contracts, or if the statement in the data breach law is enough, said Joseph McClure, regulatory and compliance principal at Revenue Cycle Solutions Inc. in Westchester, Ill. “Until we get the rules, we don’t really know what that means,” he said.
Revenue Cycle Solutions, a unit of Siemens Healthcare, is waiting to see what the final rule will say regarding what covered entities and business associates have to do with their contracts, McClure said. “We have hundreds and hundreds of business associate relationships,” he said.
Business associates -- such organizations as information exchanges, personal health records vendors and electronic prescribing gateways -- need to establish policies and procedures around security breaches, said Rebecca Williams, a registered nurse and partner in the Seattle office of Davis Wright Tremaine LLP.
While the industry waits for more guidance from HHS on how to ensure everyone is in compliance, covered entities and business associates can evaluate their agreements. “We need communication between the business associates and the covered entities,” Williams said.
Let us know what you think about the story; email Jean DerGurahian, News Writer.