The Medicare Telehealth Enhancement Act, House Resolution 2068, would expand Medicare reimbursement to telemedicine facilities in urban and suburban areas. The bill would also provide $30 million in grant funding for healthcare organizations.
On April 27, HIMSS published its definitions of "meaningful use of certified EHR technologies" as outlined in the American Recovery and Reinvestment Act of 2009. HIMSS sent a cover letter, plus two definitions: 1) meaningful users of certified EHR technologies and 2) meaningful use for hospitals, to the National Coordinator of Health IT and the Acting CMS Commissioner, within the Department of Health and Human Services, according to a HIMSS release.
Invented 16 years ago, virtual colonoscopy has become an increasingly popular alternative to standard, or optical, colonoscopy, which is typically performed by a gastroenterologist. Initially regarded as a high-tech novelty, the new procedure has in recent months received key endorsements as a first-line screening test from influential medical groups. But in February, officials at the Centers for Medicare & Medicaid Services announced a preliminary decision not to cover the procedure as a mass screening test for Medicare recipients.
Tevi Troy, deputy secretary of the Department of Health and Human Services from 2007-2009, provides his thoughts on what he says are common health IT myths in this article for the Washington Post. Troy questions whether the $20 billion for EHRs in the stimulus package is worth the risk.
Thanks to HHS, we now know what "unsecured protected health information" means. So where do we go from here?
If you're leading an organization that handles protected health information (PHI), you may be asking that question today.
As HealthLeaders Media reported Tuesday, HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.
The guidance includes the technologies and methods specified by the secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals."
In other words, if the data does not include these methods and technologies, it could be considered "unsecured PHI."
Time to go out and buy the latest encryption software, right? Not quite.
With its draft guidance, HHS really did no more than point to the NIST standards of data encryption, endorsed by the government regulators long before the release of the draft guidance last week, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
To that end, see if your organization is already in compliance and using government-approved and offered encryption methods for information flowing out of your network.
Further, covered entities and business associates are not required to follow the guidance. HHS says in the guidance it merely creates a "safe harbor" and protects covered entities and business associates from notification requirements when a security breach occurs.
After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
And there will be comments, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
"I think there are going to be changes as far as the way to secure PHI," Herold says. "They provided basically two methods (encryption and destruction), which are both important and good. But I think there may need to be additional methods that go beyond those two."
Here's what else you can take away from the HHS draft guidance:
Consider destruction as well as encryption. "It is important to render disposed PHI, in all forms, irreversibly destroyed as well," Herold says. "The statement, ‘Note that the technologies and methodologies referenced … are intended to be exhaustive and not merely illustrative' is interesting; this makes it important for all information security and privacy folks who see gaps with these methods to submit feedback and comments during this review period."
Covered entities and their business associates must understand that these requirements apply not only to electronic PHI, but also to PHI in other forms, such as paper.
Look for further specifications of encryption. As Apgar points out, HHS did not specify the level of encryption to make data secure. "As an example, if data is encrypted using 128 bit encryption, it is not necessarily ‘unsecured' given 128 bit encryption has been broken."
Consult with your IT specialists. Several of the documents recommended by HHS are "very technical in their contents describing various aspects of information systems to include their architecture and on how data are stored, organized, and transferred within an information system," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ.
What are the legal implications of the guidance? If the guidance were to be final today, how would covered entities and business associates be legally bound? After all, no one is forced to follow it; HHS merely calls it the "functional equivalent of a safe harbor"–which reminds John R. Christiansen, of Seattle's Christiansen IT Law, of the European Union data protection or anti-kickback safe harbors. "The most important implication of this is that following the guidance should protect against civil penalty actions by HHS, which published the guidance and therefore is bound by it," he says. "The fact that it is not 100% binding on the courts probably shouldn't matter."
So where do you go from here? Backward to look at your encryption methods. And forward to consider commenting on the HHS draft guidance.
Kaiser Permanente has come up with a system that allows its members to store health information on a USB flash drive that can be carried with them on business trips and vacations. For $5, Kaiser members can get a thumb-sized digital memory device that contains an accurate, up-to-date summary of their health information in a format that virtually any doctor with a computer can read. To safeguard patient privacy, the drive is encrypted and password protected with a password. The information can not be changed by either the member or doctor, but patients can get their devices updated for free.