HHS Issues New Proposed Regulations Implementing the HITECH Changes to the HIPAA Privacy and Security Rules
On July 14, 2010, the Office of Civil Rights of the Department of Health and Human Services (HHS) issued proposed regulations containing modifications and clarifications to the privacy standards, security standards, and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The following is a brief overview of certain items addressed in the proposed regulations:
- Expanded Definition of Business Associate. The definition of who will be categorized as a business associate has been expanded. Business associates now include health information exchange organizations, e-prescribing gateways, regional health information organizations, and vendors that offer a personal health record to patients on behalf of a covered entity. Thus, the above entities that access protected health information on a routine basis are directly required to comply with the requirements of HIPAA. The proposed rule does clarify that entities which act as mere conduits for the transport of protected health information, but do not access such information other than on a random or infrequent basis, are not business associates.
- Expanded Definition of Subcontractor. The definition of who will be categorized as a subcontractor has been expanded to include “any person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.” Thus, business associates must enter into business associate agreements with subcontractors who will have access to the covered entity’s protected health information. Subcontractors must comply fully with both the Privacy and Security Rules under HIPAA, including breach notification provisions.
- Research and Compound Authorizations. Currently, HIPAA permits a covered entity to combine an authorization for the use or disclosure of protected health information for a research study with any other type of written permission for the same research study. Covered entities are not permitted to combine an authorization for a research study with another authorization when one authorization involves treatment or payment upon execution and the other does not, unless certain requirements are met. The proposed regulations expand the methods that may be used to meet such requirements and ask for comments on additional methods that would clearly differentiate the conditioned and unconditioned research activities on the compound authorization.
- Minimum Necessary Standard. HIPAA requires that covered entities and business associates limit their use and disclosure of, and requests for, protected health information to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” Until the final rule is issued, the HITECH Act specifies that a covered entity will be in compliance with the minimum necessary standard if its use and disclosure of protected health information is limited to: (i) the limited data set; or (ii) if the limited data set does not meet the needs of the use, disclosure or request, to the minimum necessary in accordance with the entity’s polices and procedures. HHS seeks comment on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to have and the types of questions entities may have about how to appropriately determine the minimum necessary for purposes of complying with the Privacy Rule.
HHS has solicited and is accepting comments on the proposed regulations through September 13, 2010. The final rule will be issued sometime thereafter. The compliance date for the regulations will be 180 days after the date on which the final regulations are issued.
The full text of the proposed regulations can be found here.
CMS Publishes “Meaningful Use” Health IT Final Rule
In late July, the Centers for Medicare and Medicaid Services (CMS) published the “meaningful use” final rule in the Federal Register. The final rule becomes effective September 27, 2010, and, among other things, specifies the initial criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals must meet to qualify for an incentive payment. CMS received more than 2,000 comments to its proposed rule, and based on those comments, made significant changes to several important provisions. Among the highlights:
- For Stage One, the proposed rule had called on physicians and other eligible professionals to meet 25 objectives (23 for hospitals) in reporting their meaningful use of electronic health records (EHRs). The final rule, however, divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers can choose. There are 15 core requirements for eligible professionals and 14 for hospitals. There are 10 discretionary requirements for both EPs and hospitals from which five must be chosen. This two-track approach is intended to ensure that the basic elements of meaningful use will be met by all providers qualifying for incentive payments, while at the same time allowing flexibility in other areas to reflect varying needs.
- Many thresholds contained in the proposed rule have been reduced. For example, under the proposed rule, providers would have been required to use computerized physician order entry
for 80 percent of orders for Eligible Professionals and 10 percent of orders for hospitals. The language in the final rule focuses on order entry of medications and requires that 30 percent
of patients with medication orders have at least one medication order entered electronically in a payout year. This requirement applies to both EPs and hospitals.
- The required clinical quality measures have been reduced to six for eligible professionals and 15 for hospitals. For EPs, there are three core measures required, three alternative core measures, and a choice of three from a pool of discretionary measures. Reporting by attestation is required beginning in 2011, electronic reporting in 2012. Clinical quality measurements for specialists have been eliminated for Stage One.
- The final rule includes the objective of providing patient-specific educational resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals.
- A hospital-based EP is defined as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010.
- The rule makes final a proposed rule definition that would make individual payments to eligible hospitals identified by their individual CMS Certification Number. The final rule retains the proposed definition of an “eligible hospital” because CMS deems it to be most consistent with how Medicare has applied the statutory definition of a “subsection (d)” hospital under other hospital payment regulations.
- Under Medicaid, the final rule includes critical access hospitals in the definition of acute care hospital for the purpose of incentive program eligibility.
- The final rule’s economic analysis estimates that incentive payments under Medicare and Medicaid EHR programs for 2011 through 2019 will range from $9.7 billion to $27.4 billion.
To view the final rule, please click here.
New Jersey Hospital Successful in Appointing Special Medical Guardian for Patient who Refused Care on Religious Grounds
A New Jersey Superior Court in In the Matter of J.M., P-036-10, decided that J.M., who refused dialysis on religious grounds lacked the capacity to make such a decision. J.M. had been admitted to Valley Hospital and was diagnosed with end-stage kidney disease, hypertension, uremia, anemia and lupus. J.M. had consented to other medical procedures and to resuscitation in the case of emergency, demonstrating a desire to live. However, she refused dialysis stating that she believed Jesus would cure her. She also stated she was afraid of the dialysis machine and believed she would lose income as a result of the time spent on the dialysis machine. The Hospital turned to the court to appoint a special medical guardian after three separate psychiatrists disagreed about whether J.M. was competent to refuse dialysis. The judge appointed a guardian ad litem and appointed an attorney to advocate for J.M.’s wishes. The judge heard testimony regarding the seriousness of J.M.’s condition, as well as testimony that J.M.’s judgment was affected by the buildup of toxins in her system resulting from her kidney failure. The judge ruled that a special medical guardian should be appointed because J.M refused to acknowledge the risk inherent in her refusal of treatment because she denied she would most likely die without dialysis. Additionally, she demonstrated through her other medical choices, such as consenting to blood transfusions and refusing a do not resuscitate order, an unequivocal desire to live. J.M. has since undergone dialysis and has decided against an appeal.