February 24, 2011 11:34 AM
Posted by: Pabrai
, Red Flags Rule
President Obama signed the Red Flag Program Clarification Act of 2010 into law on December 18, 2010. The law is effective as of January 1, 2011 and enforced by the Federal Trade Commission (FTC).
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) regulation requires organizations to identify, detect and mitigate instances of identity theft. The FTC originally proposed the Red Flags Rule in 2008. The Rule was designed to address the threat of identity thieves trying to misappropriate consumer accounts to purchase goods and services for themselves using someone else’s name. FACTA applies to financial institutions and creditors. “Creditors” were defined as any entity that regularly allows a person to buy property or services and to defer making payment on the purchase.
The Red Flag Clarification Act of 2010 addressed the issue related to the healthcare industry by limiting a “creditor” to an entity that:
• Obtains or uses credit reports in connection with a credit transaction
• Furnishes information to consumer reporting agencies in connection with a credit transaction or
• Advances funds to a person based on an obligation of the person to repay the funds or make the funds repayable from specific property pledged for that purpose
It specifically excludes entities that “advance funds” to consumers for expenses incidental to a service being provided. For example, healthcare providers delivering care and then billing or it in arrears.
Healthcare providers now covered by the Red Flags Rule seem to be those that either use consumer reports in order to establish patient credit or furnish information to credit reporting agencies.
The Act does state that the FTC can extend the Red Flags Rule to a business based on the determination that the business offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Providers that are unlikely to see the Red Flags Rule extended to them by the FTC include those with a more personable relationship with their patients – this would include small medical practices, home health agencies, and long term care facilities.
It is ecfirst position that healthcare providers already impacted by HIPAA, HITECH and other privacy and security regulations would be well served to address the requirements of the FACTA regulation. Organizations should establish a credible Identity Theft Prevention Program, within the context of a more comprehensive framework of privacy and security policies, controls and capabilities.
Have you developed an Identity Theft Prevention Program? ecfirst can help. Ask about the ecfirst On-Demand Consulting Program to jumpstart and address your requirements for compliance with FACTA, HIPAA, HITECH, and State mandates.
Contact Audra at Audra.Curtis@ecfirst.com to schedule a private Webcast focused on Policies & Procedures to comply with HIPAA, HITECH, FACTA & More.
February 8, 2011 2:48 PM
Posted by: Pabrai
, Risk Analysis
Computer systems that run the Nasdaq Stock Market have been repeatedly penetrated over the past year, reported The Wall Street Journal on February 5, 2011. The possible motives include unlawful financial gain, theft of trade secrets, and a national security threat to damage the exchange. The Nasdaq exchange is regarded by the government as critical, similar to power companies and air travel control operations – all considered part of the U.S. basic infrastructure.
In the recent past, hackers planted potentially disruptive software programs in the U.S. electrical grid. In the case of the Nasdaq hack, it seems that the intent was to “snoop” and learn about the system; it does not appear that any information had been tampered with. The U.S. Secret Service and the FBI are investigating the matter.
Businesses and organizations are under constant attacks, with estimates of a an attack every 1.5 seconds on the business information infrastructure – about 60,000 attacks every day. In recent years U.S. authorities have experienced cyberattacks linked to computers in Russia, China and Eastern Europe.
With breaches on the rise with attacks from the outside and inside, it is critical to conduct a comprehensive and thorough assessment of the threats and vulnerabilities to the confidentiality, integrity and availability of all critical assets and sensitive information managed by the organization. When is the last time your organization conducted a risk analysis activity?
A checklist of steps to review to address breaches and incidents, include:
- Develop policy on Discovery, Reporting & Notification of Information Breaches
- Review, update and integrate security controls and reporting capabilities for incident management
- Create a specific procedure for information breach management
- Develop specific procedure for information breach notification
- Conduct training for all members of the workforce on your policies and regulatory mandates for security
It is not a question of if your organization will experience a breach. It will. It is a question of how quickly you can discover the incident and what are the specific steps that must be taken to address the assets and information that may have been compromised. In the case of many industries, including healthcare, there are severe fines and penalties related to breach notification.
Have you recently reviewed and updated your organization’s policies, procedures and controls for managing breaches and incidents?
Review ecfirst breach and policy templates at the Resource Center at www.ecfirst.com. Contact Audra at Audra.Curtis@ecfirst.com to schedule a private Webcast focused on breach and incident management.
September 8, 2010 1:47 PM
Posted by: Pabrai
Several organizations were not exactly sure about the recent notice related to the Breach Notification Final Rule. The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. HHS has withdrawn the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. HHS intends to publish a final rule in the Federal Register in the coming months.
What is important to note is that until the final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.
The following link is the best source of information to keep up with information related to HITECH Data Breach Notification, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
September 1, 2010 3:34 PM
Posted by: Pabrai
, Meaningful use
In Stage 1, HHS chose to reduce the requirements related to measurement thresholds defined for objectives. Many measures that required performance levels of 80% were reduced to 50% or lower in the final rule. For example, in the proposed rule the objective for recording and charting vital signs was set at more than 80%; this was lowered to more than 50% for all unique patients age two and older.
Examples of lowered measurements include:
- The proposed rule required that patients be provided with an electronic copy of their health information, upon request, more than 80% of requests within 48 hours; the final rule lowered this requirement to more than 50% of requests within three business days
- The proposed rule required that participants implement five clinical decision support rules; this measurement was lowered to participants implementing one clinical decision support rule
One example of a core objective that entities must address is in the area of privacy and security. Entities ensure adequate privacy and security protections for personal health information through use of policies, procedures, and technologies. Entities such as Eligible Hospitals (EH) and Eligible Professionals (EPs) must protect electronic health information created or maintained by the certified Electronic Health Record (EHR) technology through the implementation of appropriate technical capabilities. The measurement associated with this objective requires that entities must conduct or review a security risk analysis and implement security updates as necessary. Entities, including physician practices and EPs must ensure complete compliance with the HIPAA and HITECH mandates.
August 30, 2010 11:48 AM
Posted by: Pabrai
, Meaningful use
As in the proposed rule, the final rule for meaningful use retains a phased approach. The phases are referred to as stages. Three stages have been identified – Stage 1, Stage 2 and Stage 3.
In the proposed rule it was HHS intent for all program participants to be at Stage 3 in 2015 – regardless of when the participant joined the program. This however has been changed in the final rule – HHS chose to remove all language about direction beyond 2014 – this would be addressed in future rule making. HHS retains the option to introduce additional stages as required.
What is the timeline for meaningful use criteria to be updated? HHS expects to update the meaningful use criteria every two years. Stage 2 criteria are expected to be finalized by the end of 2011 and Stage 3 criteria by the end of 2013. In the final rule, Providers joining the program in 2013 will be required to be at Stage 1 in 2014 – and not Stage 2 as was in the proposed rule.
How is Stage 1 organized? For hospitals and EPs to be considered meaningful users in 2011 and 2012, they must meet defined objectives and associated measures. These objectives are divided into two tracks (sets):
1. Core Set
2. Menu Set
The core set identifies essential objectives and measurements that must be met. There are 15 objectives identified in the core set. The menu set includes 10 objectives from which providers can choose any 5 to implement in 2011 and 2012. This provides flexibility to providers in establishing their own priorities as they look to comply with meaningful use objectives for EHR implementation.
August 23, 2010 11:51 AM
Posted by: Pabrai
, Meaningful use
The objectives defined in the proposed rule for meaningful use were offered with more flexibility and choice in the final rule on the meaningful use EHR incentive program published on July 28, 2010. The rule is effective September 26, 2010.
The objectives in the final rule are designed to allow program participants to establish their own path to meaningful use. Further, the bar for measurements associated with several objectives was lowered. In the proposed rule for meaningful use 27 objectives had been defined in Stage 1 of the program. In the final rule, the objectives were organized into two tracks: Core Set and Menu Set. Program participants must achieve each of the objectives in the core set, while the menu set provides for greater flexibility in Stage 1. Think of the core set as mandatory while the menu set provides a la carte objective choices.
How many core set objectives have been defined? For Eligible Professionals (EPs) a total of 15 objectives are defined in the core set; while Eligible Hospitals (EHs) and Critical Access Hospitals (CAH) must meet 14 core set objectives.
What about menu set? How is the menu set criteria organized? The menu set actually includes twelve objectives of which ten apply to EPs and ten apply to hospitals. EPs and hospitals must choose five out of the ten menu set objectives. The items not chosen are deferred to Stage 2. There is, however, one requirement related to the menu set – participants must select at least one population and public health measure.
What is the timeline for criteria to be updated? HHS expects to update the meaningful use criteria every two years. Stage 2 criteria are expected to be finalized by the end of 2011 and Stage 3 criteria by the end of 2013. In the final rule, HHS also chose to remove all language about direction beyond 2014 – this would be addressed in future rule making. Further, providers joining the program in 2013 will be required to be at Stage 1 in 2014 – and not Stage 2 as was in the proposed rule.
August 20, 2010 2:47 PM
Posted by: Pabrai
, Office of the National Coordinator for Health IT
The Office of the National Coordinator for Health IT (ONC) on June 24 published a final rule for EHR certification as part of the meaningful use incentive plan. This became effective immediately. This was first published as an interim final rule in January 2010.
Organizations that have an interest in becoming Authorized Testing and Certification Bodies (ONC-ATCBs) can submit applications as of July 1, 2010. It is a multi-step process and if they are approved then they can test and certify EHR products on criteria specific to the meaningful use program. The Certification Commission for Health Information Technology (CCHIT) has applied to become an authorized certification body.
Who will provide the test methods for the program? The National Institute of Standards and Technology (NIST) will provide test methods for the program.
Vendors may submit complete systems or individual modules for certification.
Why is this Temporary EHR Certification Program relevant? This is because provider organizations (e.g. hospitals) must use technology that has been certified by the ONC-ATCB.
The ONC published the final rule on standards and certification criteria on July 28, 2010. This supports meaningful use program and becomes effective on August 27, 2010.
Where can you get more information on all certified products and ONC-ATCBs? The ONC will maintain a list of ONC-ATCBs and certified products at the website, http://healthit.hhs.gov. The Temporary EHR Certification Program is expected to sunset in 2012 and will be replaced by the permanent program at that time. Products certified under the temporary program will maintain their certification under the permanent program.
August 16, 2010 4:23 PM
Posted by: Pabrai
The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to certain terminology.
Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;
Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet or intranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial- up lines, private networks, and the physical movement of removable/transportable electronic storage media.
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form before the transmission.
Protected Health Information (PHI)
Protected Health Information (PHI) excludes Individually Identifiable Health Information (IIHI):
- In education records covered by the Family Educational Rights and Privacy Act
- In employment records held by a covered entity in its role as employer
- Regarding a person who has been deceased for more than 50 years
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
August 13, 2010 2:03 PM
Posted by: Pabrai
, Public Health
The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to a few areas public health disclosure and fundraising requirements.
Public Health Disclosures
The proposed rule would create a new public health provision to permit disclosure of proof of a child’s immunization by a covered entity to a school in States that have school entry or similar laws. This proposed change would allow a covered health care provider to release proof of immunization to a school without having to obtain a written authorization, provided the provider obtained the agreement (oral or otherwise) to the disclosure from either the parent or guardian, or the individual, if the individual is an adult or emancipated minor. It is expected the burden would be reduced on covered entities and parents in obtaining and providing written authorizations.
Since the proposed rule would require the covered entity and the responsible party for the student to agree that the covered entity may release proof of immunization, some covered entities may request the agreement in writing.
The proposed rule would require that any fundraising communication sent to an individual must provide the recipient with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications. If an individual elects to opt out, the fundraising entity must not send the individual additional fundraising communications. This proposed change will require fundraisers to clearly and conspicuously provide the recipient an opt-out choice from receiving future communication and to treat such a choice as a revocation of authorization. This will result in fewer unwanted fundraising communications.