Ten must-read health IT policy documents

A veritable alphabet soup of federal agencies release rules and regulations. This tip summarizes 10 important ones, including HIPAA, meaningful use and data breach notification.

Federal health IT policy documents abound, in the form of proposed rules, interim final rules and actual rules -- that is, signed pieces of legislation. While the Health Insurance Portability and Accountability Act (HIPAA) dates back to the 1990s, most documents have been released in the flurry of activity that followed the Feb. 17, 2009, signing of the stimulus bill. That bill contained the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, and encouraged health care providers to pursue the meaningful use of electronic health record (EHR) technology.

A veritable alphabet soup of agencies release these documents, so finding every requirement, mandate and deadline can be quite a challenge. Here are links to 10 important health iformation technology policy documents that CIOs and CMIOs should read -- and to resources that do their best to explain those documents in plain English:

HITECH Act: Pages 112-165 of the American Recovery and Reinvestment Act of 2009
The HITECH Act allocated nearly $20 billion in financial incentives for hospitals and health care providers to stimulate EHR adoption. Additional funding was set aside to establish regional extension centers that would help health care organizations select and implement EHR technology, to jump-start the development of health information exchanges and to create college-level health IT job training programs. Finally, the HITECH Act laid out financial penalties for health care organizations that fail to demonstrate the meaningful use of EHR by the end of 2015.

Meaningful use proposed rule: Centers for Medicare & Medicaid Services
This is the biggie. It identifies the three stages of meaningful use criteria that hospitals and eligible providers will have to meet in order to qualify for the incentive payments announced in the HITECH Act. The Stage 1 meaningful use criteria, which focus on “electronically capturing health information in a coded format,” are spelled out in great detail and lend themselves to concerns for both hospitals and providers. Stage 2, due to be released by the end of 2011, will cover “continuous quality improvement at the point of care.” Stage 3, due at the end of 2013, further extends quality improvement and aims to provide “patient access to self-management tools.”

Standards rule for EHR technology: Office of the National Coordinator for Health IT (ONC)
This health IT policy document states the functionality that a complete EHR system or EHR module must include to support each of the Stage 1 criteria for meaningful use. Several principles guided the ONC here, including interoperability, a low cost of implementation and technical innovation based on adopted standards.

Health IT certification program: ONC
The EHR certification rule spells out the process by which organizations will be authorized to test and certify EHR technology and how vendors will submit their products for testing and certification. There is a temporary program, designed with the meaningful use Stage 1 deadlines in mind, and a more rigorous permanent program. The certification programs replace the system through which the Certification Commission for Health Information Technology served as the lone certifying body for EHR systems. It should be noted that the timeline for commenting on and implementing this health IT policy remains tight.

HIPAA Privacy Rule (summary): Department of Health & Human Services (HHS)
Officially called the Standards for Privacy of Individually Identifiable Health Information, the Privacy Rule was published in 2000 and modified two years later. It defines the information that can be used to identify a patient, in what manner that information can be disclosed without a patient’s consent and what steps HIPAA-covered entities must take to ensure that information is protected. The HIPAA Privacy Rule also established civil and criminal penalties for noncompliance, which is enforced by the Office for Civil Rights (OCR) within HHS. These were toughened by the HITECH Act, as indicated below.

HIPAA Security Rule (summary): HHS
Published in 2003, the HIPAA Security Rule aims to spell out in greater detail the safeguards that HIPAA-covered entities must put in place to secure patients’ electronic health records yet make them accessible to authorized users. (This health IT policy does not cover oral or written information exchanges.) In short, to ensure HIPAA compliance, covered entities must “protect against reasonably anticipated, impermissible uses or disclosures” of personal health information and regularly conduct risk analysis of security management procedures.

Data breach notification rule: HHS
This rule implements a HITECH Act security provision that requires all HIPAA-covered entities -- as well as their business associates -- to notify anyone affected by a breach of unsecured personal health information. It should be noted that business associates were not covered under the original HIPAA Privacy and Security Rules. Under this rule, health data breaches must be reported to the OCR, which, under the HITECH Act, can levy a penalty of $100 to $50,000 per information breach. Notably, a breach of encrypted data need not be reported.

HITECH Act enforcement rule: HHS
This health IT policy amends HIPAA enforcement as stipulated in the HITECH Act and details the new financial penalties for data breaches. Though the fines are significant, it should be noted that HHS has defined “categories of violation,” which suggest that a party demonstrating “willful neglect” in the event of a data breach will be treated more harshly than a party that simply did not know what happened.

E-prescribing for controlled substances: Drug Enforcement Agency (DEA)
One key component of meaningful use is e-prescribing, as it cuts down on the errors incurred from handwritten, phoned or faxed prescriptions. However, doctors write a large number of prescriptions for controlled substances, which are subject to more vigorous regulations than other medication. To that end, the DEA has issued a rule outlining what e-prescribing systems must include in order to meet DEA requirements for prescribing, dispensing and keeping records related to controlled substances.

Reclassification of Medical Device Data System: Food and Drug Administration (FDA)
This policy, first proposed in 2008, would place health IT in the FDA’s Class I category, as opposed to Class III. The latter category is stricter, as it requires technology developers to submit products for review before they can go to market, but the broad, general regulatory control of Class I would essentially add another complex layer to federal health IT policy, subjecting hundreds, if not thousands, of information technology companies to FDA regulation.

Let us know what you think about the story; email Brian Eastwood, Site Editor.

Dig Deeper on Federal health care policy issues and health care reform