The growth of 'e-health' infrastructure is likely to leave healthcare CIOs with a host of potential compliance headaches that will last longer than the normal New Year's Day hangover.
New Medicare provisions for digital prescriptions and expanded HIPAA influence, quietly put forth in a Health and Human Services framework earlier this month, mean more organizations will need to grapple with healthcare compliance issues protecting patient information in 2009. The e-prescription program will include incentives in 2009 and begin including disincentives for continued paper use in 2012.
The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just healthcare organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services. Since 1996, HIPAA has mandated the privacy of patients and the security of medical records, also known as protected health information (PHI).
Legal compliance requirements around EPHRs, however, have applied only to entities like healthcare providers, healthcare insurers and healthcare clearinghouses. The new framework released by the Department of Health and Human Services (HHS) suggests that HIPAA may be soon be extended to other organizations that handle or host EPHRs, such as Microsoft's HealthVault and Google Health.
Securing digital prescriptions
This New Year's Day, Medicare will launch an "e-prescribing incentive plan," offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper.
The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challeng
To continue reading for free, register below or login
To read more you must become a member of SearchCIO-Midmarket.com
es for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF].
HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific healthcare compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama's incoming administration passes.
Healthcare CIOs who want to stay ahead of potential HIPAA compliance requirements applicable to EPHRs would do well to consider the following suggestions from the Healthcare Information and Management Systems Society:
Life as a Healthcare CIO, a blog written Dr. John Halamka, CIO at Harvard Medical School and CareGroup Inc., tracks EPHR developments and asks questions about use and implementation. Halamka commented on the HHS privacy framework on the day of its release, noting with approval that "Secretary Leavitt [had] released the nation's first national privacy framework for personal health records."
2009 is fast approaching. Enjoy celebrating the new year. And then, if you haven't already, start determining how, where and when electronic health records enter, leave and are stored in your network. If you have doctors who might be sending and storing e-prescriptions over a network you administrate, your compliance may depend upon it.
Let us know what you think about the story; email: Alex Howard, Associate Editor, SearchCompliance.com. Become a member of SearchCompliance.com.
