Posted in February 2013

Health Information Exchange Governance Valentine from Dr. Farzad!

Health Information Exchange Valentine


I listened in on this town hall this afternoon!


Happy Valentine’s day to me!


I did not expect Dr. Farzad Mostashari, the National Coordinator of ONC to wish me (and all participants) a happy Valentines day as he was flying on an airplane to a far-flung local.  He spoke quickly about how he “hearted” all the “listening” and open discussion going on involving health information exchange-especially around the issue of governance.  Since his plane was landing, he had to cut his remarks short so other ONC staff took the reins for a really robust and interactive webinar session on the issue.

A Rational & Non-Regulatory Approach to Health Information Exchange Governance


It was reassuring to hear the ONC staff verify that they are committed to a listening approach rather than a pure regulatory approach to health information exchange governance.   This is a real relief to those of us who are still wading through the HIPAA Omnibus Rules.  They emphasized that they are in a listening and “information collecting” mode at present and plan to continue this way.  The ONC has had other townhalls on this and other topics.

My opinion: The complexity and level of detail that would need to exist in regulations is overwhelming, and with Health Information Exchange being a fairly new creature, regulation is just not pratical at this time.  It would also chill implementation, adoption and participation!  Who wants to have to deal with even MORE regulations and the associated penalties and costs?

There were several main themes developed throughout this town hall meeting:

  1.  Information should securely and privately follow the patient.
  2.  Trust is key. Trust policies are HUGE.  Providers, organizations and patients need to trust in the exchange.
  3.  Meaningful patient relationships and engagement regarding use of HIE. (Like understanding what it IS!)
  4. How will patients be able to get their data?  There was an advocate on the call for patient mediated exchange.
  5.  Increasing interoperability is crucial.
  6. Costs need to decrease.follows patient and there is trust in the organizations that are handling the information.
  7. Adopting best practicies for exchange. 
  8. Whether HIE’s will agree to exchange information with one another or whether they will “hoard” the data, especially if there is a profit-based incentive for doing so.  There is currenly no requirement that this sharing occur.
  9. Crossing boundaries of current EHR vendors.
  10. Closing “digital divide” barriers to implementation and meaningful exchange.

The ONC  plans to monitor the exchange ecosystem and evaluate what activites are occuring and what problems or issues arise which may benefit from “national activity.”   The ONC is the entity to monitor and potentially come up with regulations if they were later required,

My opinion: If people can’t play nicely and fairly in the sandbox the ONC will be willing to regulate.  It seems like the equivalent to a mom hearing kids fighting outside over buckets and shovels and saying “Don’t MAKE me come out there!”

An aside…there does not seem to be a lot of love for EPIC.  They might the be the kid in the sandbox preventing others from digging in.  Just an undertone I got. (opinion)

HIPAA Components to Health Information Exchange Governance

Joy Pritts, the Nations Chief Privacy officer offered some comments on understanding how the new HIPAA Omnibus rules should be interpreted as they pertain to Health Information Exchange.  She suggested that by looking at the preamble to the final rule, one can find guidance about whether HIE’s will be considered business associates.  From my own reading, the analysis will depend on whether the HIE is “pushing” or “pulling” data.

Overall, the call was quite informative and a great way to spend Valentine’s Afternoon!




Tagged , , , ,

HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified


In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.


HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.


HIPAA 2013-Timetables


The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.


HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.


HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!



Julie Meadows-Keefe

Julie Meadows-Keefe






Tagged , ,