Federal health IT policy documents abound, in the form of proposed rules, interim final rules and actual rules -- that is, signed pieces of legislation. While the Health Insurance Portability and Accountability Act (HIPAA) dates
Requires Free Membership to View
When you register you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to bring you the best healthcare IT information from top industry sources.
Jean DerGurahian, Editorial Director
back to the 1990s, most documents have been released in the flurry of activity that followed
the Feb. 17, 2009, signing of the stimulus bill. That bill contained the Health Information
Technology for Economic and Clinical Health Act, or HITECH Act, and encouraged
health care providers to pursue the meaningful
use of electronic health record (EHR) technology.
A veritable alphabet soup of agencies release these documents, so finding every requirement, mandate and deadline can be quite a challenge. Here are links to 10 important health iformation technology policy documents that CIOs and CMIOs should read -- and to resources that do their best to explain those documents in plain English:
HITECH
Act: Pages 112-165 of the American Recovery and Reinvestment Act of 2009
The HITECH Act allocated nearly $20 billion in financial
incentives for hospitals and health care providers to stimulate EHR
adoption. Additional funding was set aside to establish regional
extension centers that would help health care organizations select and implement EHR
technology, to jump-start the development of health information exchanges and to create
college-level health IT job training programs. Finally, the HITECH Act laid out financial penalties
for health care organizations that fail to demonstrate the meaningful use of EHR by the end of
2015.
Meaningful
use proposed rule: Centers for Medicare & Medicaid Services
This is the biggie. It identifies the three stages of meaningful use criteria that hospitals and
eligible providers will have to meet in order to qualify for the incentive payments announced in
the HITECH Act. The Stage 1 meaningful use
criteria, which focus on “electronically capturing health information in a coded format,” are
spelled out in great detail and lend themselves to concerns for both hospitals
and providers.
Stage 2, due to be released by the end of 2011, will cover “continuous quality improvement at the
point of care.” Stage 3, due at the end of 2013, further extends quality improvement and aims to
provide “patient access to self-management tools.”
Standards rule for EHR
technology: Office of the National Coordinator for Health IT (ONC)
This health IT policy document states the functionality that a complete EHR system or EHR module
must include to support each of the Stage 1 criteria for meaningful use. Several principles guided
the ONC here, including interoperability, a low cost of implementation and technical innovation
based on adopted standards.
Health
IT certification program: ONC
The EHR
certification rule spells out the process by which organizations will be authorized to test and
certify EHR technology and how vendors will submit their products for testing and certification.
There is a temporary program, designed with the meaningful use Stage 1 deadlines in mind, and a
more rigorous permanent program. The certification
programs replace the system through which the Certification Commission for Health Information
Technology served as the lone certifying body for EHR systems. It should be noted that the timeline
for commenting on and implementing this health IT policy remains tight.
HIPAA Privacy
Rule (summary): Department of Health & Human Services (HHS)
Officially called the Standards for Privacy of Individually Identifiable Health Information, the
Privacy Rule was published in 2000 and modified two years later. It defines the information that
can be used to identify a patient, in what manner that information can be disclosed without a
patient’s consent and what steps HIPAA-covered
entities must take to ensure that information is protected. The HIPAA Privacy Rule also
established civil and criminal penalties for noncompliance, which is enforced by the Office for
Civil Rights (OCR) within HHS. These were toughened by the HITECH Act, as indicated below.
HIPAA Security
Rule (summary): HHS
Published in 2003, the HIPAA
Security Rule aims to spell out in greater detail the safeguards that HIPAA-covered entities
must put in place to secure patients’ electronic health records yet make them accessible to
authorized users. (This health IT policy does not cover oral or written information exchanges.) In
short, to ensure HIPAA
compliance, covered entities must “protect against reasonably anticipated, impermissible uses
or disclosures” of personal health information and regularly conduct risk analysis of security
management procedures.
Data
breach notification rule: HHS
This rule implements a HITECH
Act security provision that requires all HIPAA-covered entities -- as well as their business
associates -- to notify anyone affected by a breach of unsecured personal health information. It
should be noted that business associates were not covered under the original HIPAA Privacy and
Security Rules. Under this rule, health
data breaches must be reported to the OCR, which, under the HITECH Act, can levy a penalty of
$100 to $50,000 per information breach. Notably, a breach of encrypted data need not be
reported.
HITECH Act
enforcement rule: HHS
This health IT policy amends HIPAA enforcement as stipulated in the HITECH Act and details the new
financial penalties
for data breaches. Though the fines are significant, it should be noted that HHS has defined
“categories of violation,” which suggest that a party demonstrating “willful neglect” in the event
of a data breach will be treated more harshly than a party that simply did not know what
happened.
E-prescribing for controlled
substances: Drug Enforcement Agency (DEA)
One key component of meaningful use is e-prescribing, as it cuts down on the errors incurred from
handwritten, phoned or faxed prescriptions. However, doctors write a large number of prescriptions
for controlled substances, which are subject to more vigorous regulations than other medication. To
that end, the DEA has issued a rule outlining what e-prescribing systems must include in order to
meet DEA requirements for prescribing, dispensing and keeping records related to controlled
substances.
Reclassification of Medical Device
Data System: Food and Drug Administration (FDA)
This policy, first proposed in 2008, would place health IT in the FDA’s Class I category, as
opposed to Class III. The latter category is stricter, as it requires technology developers to
submit products for review before they can go to market, but the broad, general regulatory control
of Class I would essentially add another complex layer to federal health IT policy, subjecting
hundreds, if not thousands, of information technology companies to FDA
regulation.
Let us know what you think about the story; email Brian Eastwood, Site Editor.
This was first published in April 2010