Article Summary: The Federal Trade Commission’s Red Flags Rule for identity theft applies to most health care providers according to the FTC’s current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an area that the Department of Health & Human Services, since the issuance of the Red Flags Rule in late 2007, has seen fit to strengthen under the HITECH Act of 2009, through both enhanced security protections and breach notification requirements. Further, the HITECH Act put into motion aggressive health information technology reform that also will likely address medical identity theft. Do we really need another federal agency regulating the privacy and security protections that health care providers provide for medical records? This article summarizes the key components of the Red Flags Rule that will draw most health care providers into its reach and discusses how current health care reforms may impact favorably on preventing medical identity theft.
The HHS Implementation Plan for the HITECH Act
The HHS HITECH Act Technology Implementation Plan. The U.S. Department of Health & Human Services (HHS) has a broad role in the implementation of multiple health and welfare plans addressed by the American Recovery and Reinvestment Act of 2009 (ARRA). In order to manage and coordinate its many obligations under ARRA, HHS established the Office of Recovery Act Coordination. This office is responsible for ensuring that ARRA programs are designed to best meet ARRA objectives and reporting due dates, to establish and track performance outcomes, mitigate the risks of fraud and abuse, and to keep the public informed through the Web and other means of communication. The Office of Recovery Act Coordination released a 291-page implementation plan to address each aspect of HHS responsibilities under the ARRA, including a distinct Act within ARRA focused on health information technology, privacy and security. This Act is titled, “Health Information Technology for Economic and Clinical Health Act” (HITECH Act).
First draft of “meaningful use” to be released on June 16, 2009!
[See more Recent Post dated June 17, 2009, for the HITECH Law Blog’s discussion of the June 16, 2009 HIT Policy Committee Meeting on Meaningful Use!]
CMS Hosting National Conference Call on HIPAA Version 5010–June 9, 2009
On June 9, 2009, from 2:30 pm to 4:00 pm EDT, the Centers for Medicare & Medicaid Services (CMS) will host a national education conference call to address Medicare’s FFS implementation of HIPAA Version 5010. CMS is conducting this call for all Medicare fee-for-service (FFS) providers. The call is to give a general overview of Medicare’s transition to HIPAA Version 5010 and address some of the exceptions and situations providers may encounter as the new version is implemented. The call will include a presentation and Subject Matter Experts to answer questions specific to Medicare. CMS has a HIPAA Version 5010 Webpage to track implementation dates and post informational documents.
To participate in the live conference call, listeners must register in advance. Registration will close at 2:30 p.m. ET on June 8, 2009, or when available space has been filled. To register, click here.
CMS will post a PowerPoint presentation on its HIPAA Version 5010 Webpage before the call. An audio version of the conference call also will be made available later on the HIPAA Version 5010 webpage.
HIT Standards Commitee Work Groups to Focus on Data Exchanges that Constitute Meaningful Use
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), the Office of National Coordinator for Health Information Technology (ONC) and the United States Department of Health and Human Services (HHS) are vested with authority to further define “meaningful use” as it relates to qualifying to receive stimulus funds for the adoption and implementation of electronic health records (EHRs). ONC’s Health Information Technology (HIT) Standards Committee is vested with authority under HITECH to propose a national HIT standard for EHRs that takes into consideration “meaningful use” and interoperability. In order to meet the HITECH Act’s December 31, 2009 deadline for coming up with this standard, however, the HIT Standards Committee must begin its work before “meaningful use” is further defined. Accordingly, during its first meeting on May 15, 2009, the HIT Standards Committee identified three primary data exchanges that would be integral to “meaningful use.” These data exchanges are: 1) Clinical Operations; 2) Quality; and 3) Security. The HIT Standards Committee formed a work group for each of these types of data exchanges.
Clinical operations HIT data exchanges would include e-prescribing and medication management, lab ordering and results, and a clinical summary exchange. The clinical summary exchange would be critical to enabling physicians and practitioners unfamiliar with a patient’s history to retrieve the most important facts quickly. For example, a clinical summary might include the patient’s problem list, medications, allergies, and text based reports such as operating notes, diagnostic testing reports, and discharge summaries.
Quality HIT data exchanges might include information about patient outcomes and treatment plans, patient health behaviors, and physician and practitioner medical decision making.
Secure HIT data exchanges would necessary require considerations of transport, messaging, authentication, authorization, and auditing.
The first meeting date for each work group is as follows: Clinical Operation — June 9, 2009, 10 am to 12 Noon EDT; Quality work group — June 10, 2009, 11 am to 1 pm EDT; Security work group — June 17, 2009, 11:15 am to 1:15 pm EDT.
John D. Halamka, M.D., Vice Chair of the HIT Standards Committee, provided a summary of the April 15, 2009 HIT Standards Committee meeting on his blog entry for May 15, 2009. Mr. Halamka also summarized the first meeting of the HIT Policy Committee on May 12, 2009, on his blog here.
wyatthitechlaw.com 