Article Summary: The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.
Privacy & Security
This covers the gamut of patient information privacy and security concerns related to the use of information technology to create, access, maintain, or transmit patient health information, regardless of whether that technology is via an electronic health record, a patient portal, a personal electronic health record hosted by a web or mobile app, medical device technology, a mobile medical application, web-hosted medical device software, or any other form of electronic technology.
HIT Standards Commitee Work Groups to Focus on Data Exchanges that Constitute Meaningful Use
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), the Office of National Coordinator for Health Information Technology (ONC) and the United States Department of Health and Human Services (HHS) are vested with authority to further define “meaningful use” as it relates to qualifying to receive stimulus funds for the adoption and implementation of electronic health records (EHRs). ONC’s Health Information Technology (HIT) Standards Committee is vested with authority under HITECH to propose a national HIT standard for EHRs that takes into consideration “meaningful use” and interoperability. In order to meet the HITECH Act’s December 31, 2009 deadline for coming up with this standard, however, the HIT Standards Committee must begin its work before “meaningful use” is further defined. Accordingly, during its first meeting on May 15, 2009, the HIT Standards Committee identified three primary data exchanges that would be integral to “meaningful use.” These data exchanges are: 1) Clinical Operations; 2) Quality; and 3) Security. The HIT Standards Committee formed a work group for each of these types of data exchanges.
Clinical operations HIT data exchanges would include e-prescribing and medication management, lab ordering and results, and a clinical summary exchange. The clinical summary exchange would be critical to enabling physicians and practitioners unfamiliar with a patient’s history to retrieve the most important facts quickly. For example, a clinical summary might include the patient’s problem list, medications, allergies, and text based reports such as operating notes, diagnostic testing reports, and discharge summaries.
Quality HIT data exchanges might include information about patient outcomes and treatment plans, patient health behaviors, and physician and practitioner medical decision making.
Secure HIT data exchanges would necessary require considerations of transport, messaging, authentication, authorization, and auditing.
The first meeting date for each work group is as follows: Clinical Operation — June 9, 2009, 10 am to 12 Noon EDT; Quality work group — June 10, 2009, 11 am to 1 pm EDT; Security work group — June 17, 2009, 11:15 am to 1:15 pm EDT.
John D. Halamka, M.D., Vice Chair of the HIT Standards Committee, provided a summary of the April 15, 2009 HIT Standards Committee meeting on his blog entry for May 15, 2009. Mr. Halamka also summarized the first meeting of the HIT Policy Committee on May 12, 2009, on his blog here.
How will HITECH’s new privacy & security rules impact your business?
Learn more by attending the Kentucky Chamber’s event, “Understanding the ARRA” on June 2, 2009 at the Griffin Gate Marriott Resort & Spa in Lexington, KY. Carole Christian of Wyatt, Tarrant & Combs, LLP, will discuss HIPAA privacy and security changes brought about by provisions under the ARRA and specifically HITECH. Her discussion will include a review of the new regime for business associates, data breach notification rules, other HIPAA changes, and Medicaid electronic health records. Other speakers will include Mary Lassiter, Kentucky’s State Budget Director, who will discuss the money flowing to Kentucky’s state government. For more information and registration information, click here:
http://www.kychamber.com/docs/seminarsevents/ARRA-brochure-web.pdf.
Welcome to my new blog!
Welcome to my new “HITECH” blog. This blog will track key developments at the federal and state (Kentucky) levels under the American Recovery and Reinvestment Act of 2009 (ARRA) related to that part of ARRA titled, “Health Information Technology for Economic and Clinical Health Act” (HITECH). My primary interest in HITECH concerns the stimulus for the adoption and implementation of electronic health records (EHRs) by physicians, hospitals, and other healthcare providers and suppliers, as well as Health Information Exchanges (HIEs), Regional Health Information Organizations (RHIOs) and others. The scope of this blog also will encompasses the privacy and security requirements and developments under HITECH and HIPAA.
With healthcare reform also on the horizon, the boundaries of what we are going to see and experience in health IT may be, well, simply . . . limitless! I equate what we’re about to experience over the next few years in health IT to <em>a roller coaster ride inside a time machine</em>. So hang on to your hat! It may be a bit bumpy!
wyatthitechlaw.com 