HHS: New Sheriff in Town?

On October 30, 2009 HHS issued the following release:

>>

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an interim final rule today to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to currently effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

In this interim final rule, published today in the Federal Register, HHS amends HIPAA’s enforcement regulations that relate to the imposition of civil money penalties to incorporate the HITECH Act’s categories of violations, tiered ranges of civil money penalty amounts, and revised limitations on the Secretary’s authority to impose civil money penalties for established violations of HIPAA’s Administrative Simplification Rules.  This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.  This interim final rule is effective 30 days after today.   

>>

If you are trying to follow along with the maze of HITECH's effective dates I suggest that you start here. HHS's Interim Final Rule ("IFR"), in general, relates to HITECH Section 13410-Improved Enforcement. The bottom line is that the "new Sheriff" has far more authority under HITECH to impose more stringent civil fines. Couple that with, among other things, HITECH fines returning to HHS' Office of Civil Rights coffers and you have a dramatically altered HITECH/HIPAA regulatory landscape. The full text of the IFR can be found here, along with HHS' commentary regarding same. If you want to review the sections of the Social Security Act that HITECH 13410 revises click here.

For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Danger: Smart Government at Work?

The Implementation Workgroup Testimony. Great post by John Halamka summarizing our current status regarding implementation of the beseline standards required to effectively exchange healthcare data across a number of domains (e.g. ePerscribing, Labs, administrative transactions, etc.). What is encouraging is that these folks have "grokked" the lessons of historically successful standards development initiatives. Here is a gross oversimplification of these lessons:

• Keep the standards lightweight for widespread adoption
• Target the simple use cases first
• Implement early and often

Notice also in John's post he links to an online, government sponsored forum, for achieving widespread collaboration on this work. The is proof that the power behind enabling technologies is starting to permeate government led initiatives, which should be a cause for celebration. President Obama gets it and correctly sums this up in his mantra of: "we don't need big government or small government, what we need is smart government."

John also makes a subtle but important distinction when he states that privacy and security concerns clearly need to be addressed as standards are developed, concurrent with said development, but of the two having the correct privacy policy in place is the more important. Why is that? Let me attempt an answer to this premise. Security, although often non trivial to implement based on the technical complexity, is a problem that has already been solved in other industries, it is an engineering problem. We are good at solving engineering problems (e.g. insert "man on the moon" meme).

A privacy policy, however, is culturally and organizationally complex (i.e. a wicked problem) and historically we have not been so good at solving these kinds of problems. All the really tough problems facing us (and the planet) are wicked problems. We should collectively become more fluent in problem identification because if we don't understand the nature of the problem, we have little hope of solving it effectively or efficiently.

For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

HIT/EHR Implementations are Wicked Problems!

The Health Care Blog: Is Healthcare IT Ready for its Big Coming Out Party?. It should go without saying, but I will say it anyway, because each industry seems to learn these lessons in their own unique way, that HIT implementations are by definition wicked problems. Whether a covered entity ("CE") goes with the market leader is no guarantee of success. We will be reading much more about EHR disasters in the coming months and years as the health care industry becomes the latest casualty of the people, process and platform conundrum.

Succinctly stated, HIT/EHR implementations are wicked problems to a large degree because people and process issues are ignored while providers focus on technology. All three components are mission critical and clearly, given the complexity, even the platform (read technology) component is "totally non trivial" to get right. So what is the solution? There are NO cookbook solutions, that is part of the definition of a wicked problem. Expect to be confronted with significant "unexpected challenges" and be prepared to iterate your way through them; in short, the best advice is to fail forward fast.

As counter intuitive as fail forward fast may seem (i.e. even more so in the heath care industry where anything that smacks of failure is anathema), this is right prescription but will almost universally not be followed. Why? Because as a society we appear to be hell bent on using engineering methodologies even in cases where agile methodologies are clearly called for. The latter has "failure cycles" built-in while the former is obsessed with getting the right answer.

There is no right answer. The answer will be different for every CE by definition. Add to this mix a completely transformed legal regulatory landscape and the challenges ahead appear daunting to say the least. If you want a fighting chance to succeed then you must start with accepting the premise that your organization must first change the way it thinks about the problem. This is no small feat.

For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

Breach Notification?

Medicaid Payer Gives Breach Notification. By all accounts it looks like CalOptima, a Medicaid managed care plan serving 360,000 recipients in Orange County, Calif., quickly responded to this PHI breach. It notified the appropriate authorities and is in the process of notifying individuals as per the requirements of HITECH Section 13402.

It also appears likely that CalOptima had a breach notification plan in place, given the speed by which it is moving forward to comply with the regulations. Our basic philosophy is that a covered entity ("CE") should assume that a breach of PHI will occur and develop the necessary plan and response templates that will allow it to expedite, and correctly execute, the breach notification requirements of the HITECH Act.

For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter.

Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.

HITECH/HIPAA Survival Guide Release 2.0 Now Available

DBLG Announces Release 2.0 of The HITECH/HIPAA Survival Guide and a HITECH Risk Management Webinar Series. We are happy to announce Release 2.0 of the HITECH/HIPAA Survival Guide (see link) and a HITECH Risk Management Webinar Series starting in January 2010 (final date TBD). The Webinar Series will focus on developing a set of HITECH/HIPAA compliance frameworks:

• HITECH Act Fundamentals (basic tenets of the new compliance regime)
• Organizational (training and process change organization wide)
• Breach Notification (Response teams and response templates)
• Internal Audits (substance and frequency)
• Legal (business associate contracts, compliance tools, input into all other frameworks)
• Attacking the HIPAA Privacy and Security Rules (coverage, budgets, staff skills)

DBLG will be introducing these frameworks in our FREE HITECH/HIPAA Compliance Newsletter with full coverage continued in the Webinars. The HITECH Act has introduced a furious pace of change into the health care industry and annual conferences no longer suffice as the sole primary tools for tracking industry wide game changing events.