HIT Blawg
|
February 24, 2010
SUNDAY, FEBRUARY 28 1. HIMSS HIT Venture fair and building Your Business Program, Room C307, 8:00a to 5:30p (note: I will be moderating the event and leading the panel on Entrepreneurs and Getting Started.) 2. Liability and Risk Management for Electronic Health Records, Personal Health Records and Health Information Exchanges. Physician Symposium, Room B405, 11:00a 3. Senior Executives Reception, Omni CNN Center, Grand Ballroom, 6:30p to 8:30p. MONDAY, MARCH 1 4. Keynote Presentation 8:00a - Views From the Top. 5. Moderating the presentation on The Joint Commission on National Patient Safety Goals with Patricia Adamski, Georgia Ballroom 2, 12:15p 6. New Members Reception, B203, 4:30p 7. Policy Leader’s Networking Dinner, 7:00p, Legal Seafood TUESDAY, March 2 8. Public Policy Breakfast, A412, 7:00a 9. Delaware Valley Chapter Luncheon 10. HIMSS Awards Dinner 6:00. THURSDAY, March 4 11. Moderating the presentation on The False Claims Act with Harry Markopolis. 12. I will also be attending presentations throughout the week. (Extra: I plan to attend the following presentations: |
|
February 24, 2010
SUNDAY, FEBRUARY 28 1. HIMSS HIT Venture fair and building Your Business Program, Room C307, 8:00a to 5:30p (note: I will be moderating the event and leading the panel on Entrepreneurs and Getting Started.) 2. Liability and Risk Management for Electronic Health Records, Personal Health Records and Health Information Exchanges. Physician Symposium, Room B405, 11:00a 3. Senior Executives Reception, Omni CNN Center, Grand Ballroom, 6:30p to 8:30p. MONDAY, MARCH 1 4. Keynote Presentation 8:00a - Views From the Top. 5. Moderating the presentation on The Joint Commission on National Patient Safety Goals with Patricia Adamski, Georgia Ballroom 2, 12:15p 6. New Members Reception, B203, 4:30p 7. Policy Leader’s Networking Dinner, 7:00p, Legal Seafood TUESDAY, March 2 8. Public Policy Breakfast, A412, 7:00a 9. Delaware Valley Chapter Luncheon 10. HIMSS Awards Dinner 6:00. THURSDAY, March 4 11. Moderating the presentation on The False Claims Act with Harry Markopolis. 12. I will also be attending presentations throughout the week. (Extra: I plan to attend the following presentations: |
|
September 23, 2009
The Department of Health and Human Service (HHS) and the Federal Trade Commission (FTC) Breach Regulations presume that all unauthorized disclosures are breaches. Anyone who discloses information much be able to demonstrate compliance with HHS Security Guidance to establish that no breach occurred. American Recovery and Reinvestment Act of 2009 (ARRA) provisions on health information technology (known as HITECH for the acronym deficient) defines the term “breach” to mean “the unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information….” HITECH section 13400(1) Privacy and security are presumed under the ARRA (www.recovery.gov). Contrary to the ARRA, however, the recently published FTC (www.ftc.gov) regulations, and the companion interim final regulations from the Department of Health and Human Services (HHS) on breach notification and security of health information, flip the presumption. The FTC defines breach of PHR identifiable information to mean acquisition “without the authorization of the individual.” Unauthorized acquisition shall be presumed to include unauthorized access…unless the vendor, PHR related entity or third party service provider that experienced the breach has reliable evidence showing that there has not been or could not reasonably have been, unauthorized acquisition of such information. 16 CFR §318.2 (emphasis added) Likewise, the HHS Interim Final rulemaking provides that in the event of an unauthorized or impermissible use or disclosure a covered entity or business associate “shall have the burden of demonstrating that… the disclosure did not constitute a breach…” 45 CFR §164.414 (emphasis added) Why is this important? The ordinary use and disclosure of health information involves frequent transmissions to the incorrect recipient, or to an unidentified recipient. Under the FTC and HHS rules, once information falls into the wrong recipient’s hands, it is considered breached whether or not it actually is viewed by the wrong person, and all the notification provisions and potential penalties apply. Effectively, there is a presumption of guilt which the entity which has data at rest, in motion, in use or not yet destroyed, must overcome. How to Protect Your Interests? The new compliance imperative is to document how information is secured. Moreover, the method of security should meet the standards approved in the HHS guidelines published April 17, 2009. That guidance identifies the technologies and methodologies that render PHI “unusable, unreadable or indecipherable to unauthorized individuals.” The Guidance specifies those standards published by the National Institute of Standards and Technology, and include detailed provisions on encryption. Whom to contact? For Help establishing an appropriate compliance program to address this and other privacy and security issues, please contact me at Howard@BurdeLaw.com. |
|
September 23, 2009
The Department of Health and Human Service (HHS) and the Federal Trade Commission (FTC) Breach Regulations presume that all unauthorized disclosures are breaches. Anyone who discloses information much be able to demonstrate compliance with HHS Security Guidance to establish that no breach occurred. American Recovery and Reinvestment Act of 2009 (ARRA) provisions on health information technology (known as HITECH for the acronym deficient) defines the term “breach” to mean “the unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information….” HITECH section 13400(1) Privacy and security are presumed under the ARRA (www.recovery.gov). Contrary to the ARRA, however, the recently published FTC (www.ftc.gov) regulations, and the companion interim final regulations from the Department of Health and Human Services (HHS) on breach notification and security of health information, flip the presumption. The FTC defines breach of PHR identifiable information to mean acquisition “without the authorization of the individual.” Unauthorized acquisition shall be presumed to include unauthorized access…unless the vendor, PHR related entity or third party service provider that experienced the breach has reliable evidence showing that there has not been or could not reasonably have been, unauthorized acquisition of such information. 16 CFR §318.2 (emphasis added) Likewise, the HHS Interim Final rulemaking provides that in the event of an unauthorized or impermissible use or disclosure a covered entity or business associate “shall have the burden of demonstrating that… the disclosure did not constitute a breach…” 45 CFR §164.414 (emphasis added) Why is this important? The ordinary use and disclosure of health information involves frequent transmissions to the incorrect recipient, or to an unidentified recipient. Under the FTC and HHS rules, once information falls into the wrong recipient’s hands, it is considered breached whether or not it actually is viewed by the wrong person, and all the notification provisions and potential penalties apply. Effectively, there is a presumption of guilt which the entity which has data at rest, in motion, in use or not yet destroyed, must overcome. How to Protect Your Interests? The new compliance imperative is to document how information is secured. Moreover, the method of security should meet the standards approved in the HHS guidelines published April 17, 2009. That guidance identifies the technologies and methodologies that render PHI “unusable, unreadable or indecipherable to unauthorized individuals.” The Guidance specifies those standards published by the National Institute of Standards and Technology, and include detailed provisions on encryption. Whom to contact? For Help establishing an appropriate compliance program to address this and other privacy and security issues, please contact me at Howard@BurdeLaw.com. |