The following postings relate to ARRA 2009 HITECH including HIPAA Administrative Simplification subtitle and HITECH Subtitle D.
______________________________________________________________________
Good morning: the following gov't hot link seems to be a site wherein the new ARRA 09 is now available albeit still as portions of the Conference Report for HR1:
http://www.conferencereport.gpoaccess.gov/SearchCongressionalRecord.aspx?CongressionalRecordId=xN/m0fuchas=
OR
http://tinyurl.com/b7m22x
quote
Title:
Conference Report on H.R. 1 (1 of 5)
Complete PDF:View PDF File
Complete ASCII:View ASCII File
Conference Report on H.R. 1 (2 of 5) PDF ASCII Text
Conference Report on H.R. 1 (3 of 5) PDF ASCII Text
Conference Report on H.R. 1 (4 of 5) PDF ASCII Text
Conference Report on H.R. 1 (5 of 5) PDF ASCII Text
Recall the DOJ HIPAA enforcement Memo to HHS:
http://www.usdoj.gov/olc/hipaa_final.htm
and consider how the foregoing is affected by ARRA 09/HITECH:
quote
(b)
Application of Civil and Criminal Penalties- In the case of a business
associate that violates any security provision specified in subsection
(a), sections 1176 and 1177 of the Social Security Act (42 U.S.C.
1320d-5, 1320d-6) shall apply to the business associate with respect to
such violation in the same manner such sections apply to a covered
entity that violates such security provision.
AND
SEC. 13409. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL PENALTIES.
Section
1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by
adding at the end the following new sentence: `For purposes of the
previous sentence, a person (including an employee or other individual)
shall be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the
information is maintained by a covered entity (as defined in the HIPAA
privacy regulation described in section 1180(b)(3)) and the individual
obtained or disclosed such information without authorization.'.
Note the following newly federally statutorily defined terms:
quote
(1) BREACH- The term `breach' means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person. Such term does not include any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent.
(5) ELECTRONIC HEALTH RECORD- The term `electronic health record' means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
(11) PERSONAL HEALTH RECORD- The term `personal health record' means an electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.
(18) VENDOR OF PERSONAL HEALTH RECORDS- The term `vendor of personal health records' means an entity, other than a covered entity (as defined in paragraph (3)), that offers or maintains a personal health record.
(A) IN GENERAL- Subject to subparagraph (B), for purposes of this section, the term `unsecured protected health information' means protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).
(B) EXCEPTION IN CASE TIMELY GUIDANCE NOT ISSUED- In the case that the Secretary does not issue guidance under paragraph (2) by the date specified in such paragraph, for purposes of this section, the term `unsecured protected health information' shall mean protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
(1) BREACH OF SECURITY- The term `breach of security' means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.
(2) PHR IDENTIFIABLE HEALTH INFORMATION- The term `PHR identifiable health information' means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information--
(A) that is provided by or on behalf of the individual; and
(B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(3) UNSECURED PHR IDENTIFIABLE HEALTH INFORMATION-
(A) IN GENERAL- Subject to subparagraph (B), the term `unsecured PHR identifiable health information' means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2).
(B) EXCEPTION IN CASE TIMELY GUIDANCE NOT ISSUED- In the case that the Secretary does not issue guidance under section 13402(h)(2) by the date specified in such section, for purposes of this section, the term `unsecured PHR identifiable health information' shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
AND THE FOLLOWING IMPLICATES A DEFINITION FOR HIE/HIEO/RHIO/EPG:
SEC. 13408. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES.
Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations and a written contract (or other arrangement) described in section 164.308(b) of such title, with such entity and shall be treated as a business associate of the covered entity for purposes of the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal
Regulations, as such provisions are in effect as of the date of enactment of this title.
AND [psychotherapy notes]
SEC. 13421 ... The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this subtitle. In carrying out the preceding sentence, the Secretary shall revise the definition of `psychotherapy notes' in section 164.501 of title 45, Code of Federal Regulations, to include test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation.
Query when HHS will provide proposed/interim final/final rules
regarding the following time-sensitive provisions and note "take
effect" which used to be different from "enforceable" but it seems,
subject to further review, that the following are not "standards" and
thus won't suffer under a two year + delay period:
SEC. 13423. EFFECTIVE DATE.
Except as otherwise specifically provided, the provisions of part I
shall take effect on the date that is 12 months after the date of the
enactment of this title.
...
-PART I--IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS
SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO
BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY
PROVISIONS.
(a) Application of Security Provisions- Sections 164.308, 164.310,
164.312, and 164.316 of title 45, Code of Federal Regulations, shall
apply to a business associate of a covered entity in the same manner
that such sections apply to the covered entity. The additional
requirements of this title that relate to security and that are made
applicable with respect to covered entities shall also be applicable
to such a business associate and shall be incorporated into the
business associate agreement between the business associate and the
covered entity....
SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO
BUSINESS ASSOCIATES OF COVERED ENTITIES.
(a) Application of Contract Requirements- In the case of a business
associate of a covered entity that obtains or creates protected health
information pursuant to a written contract (or other written
arrangement) described in section 164.502(e)(2) of title 45, Code of
Federal Regulations, with such covered entity, the business associate
may use and disclose such protected health information only if such
use or disclosure, respectively, is in compliance with each applicable
requirement of section 164.504(e) of such title. The additional
requirements of this subtitle that relate to privacy and that are made
applicable with respect to covered entities shall also be applicable
to such a business associate and shall be incorporated into the
business associate agreement between the business associate and the
covered entity.
