Tagged with HIPAA

HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified

 

In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.

 

HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.

 

HIPAA 2013-Timetables

 

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.

 

HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.

 

HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!

 

Subscribe!

Julie Meadows-Keefe

Julie Meadows-Keefe

 

 

 

 

 

Tagged , ,

HIPAA 2013-Business Associates Asking “Am I My Brother’s Keeper?”

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013-New World for Business Associates-Of Biblical Proportions?

 

Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your

brother?” and Cain responds,  “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.

You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

Many haven’t wanted to think about it!

To learn more, please continue reading!  I promise to try and keep it interesting!

 

Get to Know Business Associates

In mafia movies a “business associate might be the muscular wall of a man who collects overdue loan payments.

In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.

In the HIPAA world, the term has a very distinctive and detailed definition.

What (Or Who)Is A Business

Associate Under HIPAA?

The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.  Examples of business associates include:

  1. Claims processors,  administrators or practice managers.
  2. Accountants, legal advisors, consultants, or data aggrators.
  3. Accrediting services.
  4. Patient safety organizations

In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity  that person or entity is considered a business associate.  Before the HITECH Act,  the Security Rule did not directly apply to business associates.

Business Associate Changes Under HITECH

Life changed for business associates under the  HITECH Act.   Under HITECH,  the Security Rule’s administrative, physical, and technical safeguards requirements  as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule.  Therefore, under HITECH,  business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.

HIPAA 2013-Businesses Associates & Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So,  a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.

There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.

 Drop Dead Dates for Business Associates

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions.   This translates into September 23, 2013.  However, HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.

In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met.  Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.

That brings us to September 23, 2014 to have the updated agreements executed.

Please do not wait until September 1, 2014 to consider this!

 What do Business Associates Need to Know? 

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,
  2. for a failure to provide breach notification to the covered entity
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
  4. for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
  5. for a failure to provide an accounting of disclosures
  6. for a failure to comply with the requirements of the Security Rule.
  7. Business associates remain contractually liable for other requirements of the business associate agreement.
  8. Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
  9. Business associates need to evaluate their subcontractors!

Hopefully now you understand why I started this post with  reference to the biblical story of Cain.  Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling  identifiable health information!

Do you have questions about what you’ve read?

Don’t consider this post legal advice!

Contact me @ julie@esq140.com or here.

I am friendly and do not bite!

Read the rule for yourself here!  I recommend it, especially if you have trouble sleeping!

Tagged , , ,

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!

 

The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!

 

HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).

HIPAA 2013 HINT

Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!

 

Tagged , ,

HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.


Tagged , , ,

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?

 

 

 

Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,

Are You Antsy over ANSI & Why It’s Hanging Out in HIPAA Regs?

Are You Antsy over ANSI?

ANSI stands for the American National Standards Institute. ANSI is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide. For example, standards ensure that people who own cameras can find the film they need for that camera anywhere around the globe.  The Institute administers five standards panels including the Healthcare Information Technology Standards Panel.  The panel works to identify, coordinate, and harmonize relevant voluntary standards relevant to these areas.  So you may now see why ANSI would be relevant to HIPAA.

ANSI is referenced in Section 160.103 of the Health Information Portability and Accountability Act (HIPAA), within the definitional section. HIPAA authorizes HHS to require the use of standards for the electronic exchange of health care data and to specify what medical and administrative code sets should be used within those standards.   Later, ANSI appears in the administrative requirement section of HIPAA- Section 162.940- which explains how an organization may petition HHS to deviate from standard transactions and code sets.  HHS sets forth a list of evaluative criteria by which such requests will be examined.  The petitioning process is extensive and burdensome. In part, an organization must show that the modification be supported by an ANSI-accredited standard setting organization or public organization that would maintain the standard over time.

ANSI ANGST

There has been much discussion and gnashing of teeth regarding a looming requirement that all HIPAA covered entities update to ANSI 5010 and begin using the updated ICD-10 code set. Here, think of ANSI 5010 as the pipeline and ICD-10 as the oil—the highly detailed and discrete coding information system to help ensure precise reimbursement.

By October 1, 2014, all covered entities must be ready to embrace the new coding system, having made all the necessary technological updates and provided adequate training to physicians and administrative staff.

ANSI Understanding?

Hopefully, you now have a better idea about ANSI’s role in standardizing the method by which health care information is coded and conveyed.

Please comment if you have thoughts or questions.  You can also e-mail me @ julie@esq140.com.

Thinking too much about ANSI

Julie Meadows-Keefe

Tagged , , , ,

Privacy and Meaningful Use Stage Two Proposed Rule

Meaningful Use Stage Two

As you might know, this week the Center for Medicare and Medicaid released its proposed rule for Meaningful Use Stage II.

You will note that the proposed rule emphasizes direct contact with patients, patient safety (especially in medication administration to those hospitalized) and a modicum of flexibility in order to reduce burdens upon providers and vendors.  There didn’t appear to be much discussion of HIPAA/privacy.

I spend a great deal of time in my practice thinking about issues of privacy and security and HIPAA compliance and was therefore interested in seeing how the draft rules dealt with these.

Where is Privacy Considered Within Meaningful Use?

A rudimentary word search revealed that the first reference to privacy was found on page 77 of a 445 page document.  That particular reference basically exorts eligible providerss”Oh, and hey, by the way, remember that thing called HIPAA!”  Actually, the reference goes on to redeem itself a bit, because it then explicitly tells provider that HIPAA does not restrict a provider from giving the patient access to his/her clinical summaries.  Indeed, the rule requires the patients be provided with their clinical summaries within 24 hours 50 percent of the time.

The next two references were music to this breach avoidance evangalist’s ears!  The draft points out the vital nature of encryption and states that almost 40 percent of large breaches rep0orted to HHS involve lost or stolen devices.  If these devices are properly encrypted, covered entities basically “get out of jail free.”  Thorough risk analysis and security updates are  also highlighted.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf

The rule drafters take pains to highlight that discussion of certain  HIPAA requirements within the context of defining Stage Two Meaningful Use does not in any way diminish the requirement that eligible providers adhere to all requirements of the HIPAA Privacy and Security Rules as well as state confidentiality rules.  Additionally, those providing substance abuse and mental health services are reminded to review SAMHSA regulations.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf

Stage Two also includes a requirement that Eligible Providers give patients the ability to access view, download and transmit their own health information within 4 business days of the information being available to the Eligible Provider.  This is less a nod to HIPAA than it is to Fair Information Practice Principles, implemented in the 1970’s, which set forth minimum standards for allowing citizens access to information collected about them.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf.  These principles were instrumental in HIPAA’s development.

Meaningful Use Presupposes Some meaningful protection of PHI.

In sum, the Proposed Rule defining Stage Two of Meaningful Use highlight the need to ensure adequate protection for protected health information.

The #: meaningfuluseprivacy

The 140:  Meaningful Use Stage 2 mentions HIPAA compliance & incorporates by reference more than emphasizing it.

 

 

 

 

 

 

 

 

 

Tagged , , ,

Health Information Exchange Developments in Florida

The 140: Health Information Exchange continues to evolve in Florida

The hash#: #stakeholderinterests

The Central/North Florida Chapter of the Health Information Management Systems Society met today in Tallahassee.  In case you missed my live tweets, here are a few highlights:

The Florida Department of Health has a robust comprehensive disease reporting system that is a model for the nation.

State Representative Gayle Harrell is a statewide and national leader on health information exchange. She took comments and concerns from the stakeholders about health information exchange and electronic health record adoption.  As someone with a compliance orientation, I appreciate her understanding of the need to emphasize privacy and security in these systems to enhance patient trust.

Dr. Kenyatta Lee, M.D. Assistant Professor of Community and Family Medicine Department at University of Florida College of Medicine spoke about how electronic health record adoption fosters the patient-centered-medical home model of health care delivery.

Harris Corporation presented an update on the progress of Health Information Exchange in Florida.

Finally, professors from Florida International University presented on their ongoing evaluation of Harris Corporation’s performance in building the statewide HIE infrastructure.  FIU has diligently and continually soliciting and accepting input from stakeholders.  I participated in the interview process as a member of the Health Information Exchange Coordinating Committee. FIU emphasized that they are acting as independent evaluators, however they are being paid by AHCA.  It will be interesting to see the final draft of the report.

Thorny issues continue to be physician engagement, adoption, sustainability and governance.  Ongoing questions also exist about whether the government should own and/or control the HIE infrastructure.  Educating health care consumers and providers about the benefits of health information exchange is also crucial.  For patients, E.H.R. adoption provides them with better continuity of care and enhanced safety.  For providers, it allows them to deliver care more efficiently and consistently.

As more and more providers race to meet meaningful use requirements, we will continue to see evolving and spirited dialogue about how HIE may meet the needs of all stakeholders, and whether one HIE can serve them all.

How do you feel about what you have read?  Leave a comment below and enjoy your day!

Tagged , , , ,

Nurse’s Case Against ARRA Thrown Out Again

The 140: Nurses#ARRA-based federal case against HHS dismissed again…#meaningfuluse didn’t prove her case.

The hash: #dismissed

On June 25, 2009, Plaintiffs Beatrice M. Heghmann and Robert A. Heghmann filed a lawsuit against Defendant Kathleen Sebelius, Secretary, Department of Health and Human services alleging constitutional violations in connection with the health care provisions of the American Recovery and Reinvestment Act of 2009 (the “Stimulus Act”),  (2009).     Ms. Heghmann’s husband served as her attorney.   Specifically, Ms. Heghman alleged that provisions of ARRA violation provisions of the Health Insurance Portability and Accountability Act of 1996.

The complaint alleged that the electronic health record system being developed utilizing federal dollars would undermine patient privacy.  The aspirational goal set forth in ARRA that every person in America possess an electronic health record by 2014 also concerned Plaintiff because she believed there was insufficient assurance that patient could maintain control over who could access their health information. She alleged that she and other could potentially suffer harm if their protected health information was inappropriately disclosed.

The Court granted HHS’s Motion to Dismiss on May 13, 2010, on the grounds that Plaintiffs lacked standing to bring this lawsuit. Judgment was entered for the Defendant on May 24, 2010. On June 2, 2010, Plaintiffs filed a notice of appeal to the Court of Appeals for the Second Circuit. On March 11, 2011, and after appellate briefing had begun, Plaintiffs stipulated to dismissal of their appeal. On May 4, 2011 , Plaintiffs filed a motion for relief from judgment under Federal Rules of Civil Procedure,  asking the Court to vacate its order of dismissal. Specifically, Plaintiffs argue that the Final Rule promulgated on July 2 8, 2010 by the Department of Health and Human Services (“Final Rule”) under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the Stimulus Act, refutes the Court’s previous conclusions that (1) the policies and incentives authorized by the HITECH Act are voluntary, and (2) Plaintiffs failed to establish that they would suffer a direct injury-in fact sufficient to confer standing.  The rule pointed to by Plaintiff was the long awaited rule defining “meaningful use” of electronic health records.  This federal rule sets specific objectives that eligible professionals  and hospitals must achieve to qualify for federal incentive payments authorized in ARRA.  Plaintiffs’ motion was denied by the US District Court for the Southern District of New York on January 3, 2012.

This case highlights the concern many patients have about the privacy of their most personal information in the world of HITECH.  They wonder how or if they can opt out of electronic sharing of their health information.  Practitioners may wonder how they would deliver care to a patient who did not want their information exchanged in electronic form

For now, this particular case appers to have reached a conclusion.

 

S.D.N.Y.,2012. Heghmann v. Sebelius Slip Copy,(S.D.N.Y.)
1:09cv05880 (Docket) (Jun. 25, 2009)

 

Tagged , ,