Amid the sweltering summer blizzard of last week’s MU finalization, the VCS BlogMasters lost sight of the earlier, July 7, announcement by CMS and ONC that “current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.”

So, here’s the delayed scoop (if that’s even possible!):

These measures expand and strengthen privacy, security, and enforcement rules of HIPAA ’96.

“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said David Blumenthal, M.D., M.P.P., HHS’ national coordinator for health information technology,

HHS Secretary Kathleen Sebelius added, “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

The full press release can be found here: http://www.hhs.gov/news/press/2010pres/07/20100708c.html

In a related matter, the National Institute of Standards and Technology has developed and sold a role-based-workflow (RBW) security application that restricts access to patient information based on a situational need. NIST sold the patent.

NIST’s press release can be found here: http://www.nist.gov/itl/csd/health_070610.cfm

Both developments bode well for VCS clients. Ensuring privacy while improving workflow has posed a challenging solution for most HIT vendors even as medical record privacy has been a salient concern for most patients.

By: Eric Egnet, CIO

Hospitals and medical centers now have even more reason to be concerned about privacy and security as the new rulings, released last week, go into effect. Healthcare CIO’s need to heighten the attention they place on the protection of sensitive patient information as it pertains to access, storage, and transmission. This will need to be done in conjunction with their new focus on “meaningful use” which includes, CPOE and EHR upgrades and installations, clinical documentation, quality measures, and interoperability.

On Wednesday August 19th, HHS issued their “interim final” ruling that requires healthcare providers and health plans to alert individuals of unauthorized access to their unsecured electronic protected health information (PHI). This came just two days after a FTC rule was released which outlined similar requirements for personal health record (PHR) vendors, related PHR entities and third-party service providers.

Both of these interim rulings have been mandated by the very stringent privacy and security requirements outlined in the ARRA for HIPAA covered entities and business associates and certain non-HIPAA-covered entities. Try saying that fast five times!

The HHS and FTC worked collaboratively to make sure that the rules were in sync and written in such a way that they complimented one another. Requirements include:

• All entities that are covered by either of these rulings have 60 days to notify any individuals whose information was accessed without the proper authorization.
• If a large breach occurred, falling within the PHI rules, and 500 or more people involved, those entities must alert the press and media and either HHS or FTC, depending on which of the rulings they are subject to.
• If the size of the breach involved less than 500 people, those entities must record and log the incident and then contact and submit the breach findings to either HHS or FTC at the end of the year.

These “interim final” regulations will be in effect for 30 days after publication in the Federal Register on August 24th.

The HHS “interim final” regulations are available at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.

The FTC “interim final” regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.

Read Eric's industry blog, InTheKnowCIO.