90 likes | 233 Views
HITECH’s Impact on Research. August 18, 2009. HITECH Act (1). Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act of 2009 (Stimulus Bill) Creates new federal Health and Human Services (HHS) Office
E N D
HITECH’s Impact on Research August 18, 2009
HITECH Act (1) • Health Information Technology for Economic and Clinical Health Act • Part of American Recovery and Reinvestment Act of 2009 (Stimulus Bill) • Creates new federal Health and Human Services (HHS) Office • Office of the National Coordinator for Health Information Technology (ONC)
HITECH Act (2) • ONC to manage/allocate $20 billion in support of Health Information Technology (HIT) projects • investment in HIT infrastructure to facilitate a nation wide HI network • standards development • incentives through Medicare & Medicaid reimbursement for using EHR technology • Additional HIPAA Privacy and Security rules
New Rules • Largest impact in clinical care arena • Three provisions affect research • Notification of breaches • Sale of PHI • Audits
Notification of Breaches (1) • Notifications required when unsecured PHI is part of a security breach • HHS has issued draft guidance on how to ‘secure’ PHI • Only two acceptable methods; but are requesting feedback on additional security paramaters • Encryption • Data at rest (consistent with Nat. Inst. Of Standards & Technology Pub. # 800-111) • Data in motion (comply with requirements of Fed. Info. Processing Standards 140-2) • Destruction • ‘breach’ broadly defined to include unauthorized acquisition, access, use or disclosure of PHI that compromises its security, privacy or integrity; excludes inadvertent disclosure when information is not further acquired, accessed, used or disclosed
Notification of Breaches (2) • Must notify subject without unreasonable delay; at least within 60 days after discovery of breach • A brief description of what happened • PHI involved in the breach • Steps the individual should take to protect him/herself • What you are doing to investigate the breach, to mitigate losses and to prevent further breaches • Contact information (a toll free #, e-mail address, website or postal address)
Notification of Breaches (3) • Must notify prominent media outlets if breach affects 500 or more individuals • Must notify Health and Human Services • immediate notification if 500 or more subjects affected by the breach; posted on HHS website • smaller breaches reported annually • Effective 30 days following issuance of HHS regulations—approximately September 15, 2009
Sale of PHI • Requires patient authorization • Exception for research • As long as the price charged is limited to data preparation and transmittal costs • Awaiting guidance on what can be considered a ‘preparation’ cost
Audits • Secretary of HHS to conduct periodic audits of CEs to ensure compliance • Not a current requirement of HIPAA Privacy/Security Rules • Criminal and civil penalties • Not new • What is new • Apply to individual employees as well as organization • Civil penalties substantially increased • Was $100/violation up to $25K/year for same violation • Now range of $100 to $50K/violation up to $25K to $1.5M/year • Range based on level of culpability • Penalties collected used to fund enforcement efforts • Patients to receive a portion of the penalties