The U.S. Department of Health and Human Services (HHS) issued a Notice of Funding Opportunity to expand and accelerate innovative uses of electronic health information via health information exchanges (HIEs) to support state and local public health agencies. Strengthening health data exchange and use between HIEs and state and local public health agencies will help communities to better prevent, respond to, and recover from public health emergencies, including disasters and pandemics such as COVID-19.
With $2.5 million in funding from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) signed by President Trump on March 27, 2020, the HHS Office of the National Coordinator for Health Information Technology (ONC) will award up to five (5) cooperative agreements under the Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program.
Award recipients will focus on improving HIE services (such as last-mile connectivity and data services) in support of state and local public health agencies. The STAR HIE Program aims to strengthen existing state and local HIE infrastructure so that public health agencies are able to better access, share, and use health information as well as support communities that have been disproportionately impacted by the COVID-19 pandemic.
“State and local HIEs play a unique role in their communities by uniting health information from many different sites of service, including providers, hospitals, nursing homes, clinical laboratories, and public health departments, making them a natural fit to deliver innovative, local ‘last mile’ approaches to strengthen our overall public health response,” said Don Rucker, M.D., national coordinator for health information technology. “The funding opportunity we announced today will invest in infrastructure and data services for HIEs that provide critical real-time information to communities at the frontlines of responding to the COVID-19 pandemic.”
Award recipients will be required to deploy services that can enable, enhance, or increase the use of health information exchange at the state and local levels among relevant entities, and be inclusive of a diverse set of participating providers, including those who care for vulnerable or at-risk populations. They also will be required to engage in activities that address communities disproportionately impacted by the COVID-19 pandemic, considering factors such as age, race, ethnicity, disability, and sex.
Today, the U.S. Department of Health and Human Services (HHS) announced it is extending the public comment period by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology (health IT) and enabling patients to electronically access their health information. The new deadline for the submission of comments – June 3, 2019 – will allow additional time for the public to review the proposed regulations.
The extension of the public comment period coincides with a release by the HHS Office of the National Coordinator for Health Information Technology (ONC) of the second draft of the Trusted Exchange Framework and Common Agreement, along with a related Notice of Funding Opportunity. HHS also today released of a set of frequently asked questions (FAQs) from the Office for Civil Rights (OCR).
The FAQs address the Health Insurance Portability and Accountability Act (HIPAA) right of access as it relates to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.
On February 11, 2019, HHS announced two proposed rules to support the seamless and secure access, exchange, and use of electronic health information (with Federal Register publication on March 4, 2019). The rules would increase choice and competition while fostering innovation that promotes patient electronic access to and control over their health information. Together the proposed rules address both technical and healthcare industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Addressing those challenges will help to drive an interoperable health IT infrastructure across systems, enabling healthcare providers and patients to have access to health data when and where it is needed.
This extension responds to requests from a variety of stakeholders, including healthcare provider organizations and industry representatives. The Centers for Medicare & Medicaid Services (CMS) and ONC understand that both rules include a range of issues having major effects on healthcare. The extension of the public comment deadline will maximize the opportunity for meaningful input and further the overall objective to obtain public input on the proposed provisions to move the healthcare ecosystem in the direction of interoperability.
Guest post by James D. Brown, CTO, StillSecure and Andrew Hicks, Director, Healthcare Practice Lead, Coalfire
In January, the U.S. Department of Health and Human Services (HHS) announced updates to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. These new rules will took effect on March 26 and business associates have until September 23, 2013, to reach compliance. Under HIPAA, a business associate is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of electronic protected health information (ePHI) on behalf of, or provides services to, a covered entity. So what exactly do these new rules mean for our partners and clients?
First, it is important to note that the new rules are really just formalizing and strengthening many of the changes that were announced in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), which clearly defines when HHS needs to be notified of a breach, as well as increases the penalties applied around non-compliance.
James D. Brown
Also, the biggest change that should be noted is that the regulations between business associates and subcontractors (for example a health information organization and its cloud service provider), are now assumed to be held to a business associate agreement (BAA). In the past, subcontractors could choose to opt out of signing any agreement, which essentially limited liability should HHS come knocking. Under new regulations, it is clear that any healthcare provider that comes in contact with actual ePHI must sign a formal business associate agreement, making each and every subcontractor liable during a breach.
Stated differently, this means that anyone who deals with ePHI should carefully read the new rules and understand how they will be directly liable for compliance. We will start to see a shake out in the business associate companies – healthcare facilities should closely examine whether a business associate agreement is signed just to win business, or is signed by a company that actually will be accountable for HIPAA requirements and take them seriously throughout the course of the relationship.
It is also important to note that under the new regulations, it is crystal clear that business associates are directly liable for compliance and can be fined, along with the actual health care provider as a covered entity.
Here are the top five issues that organizations need to be aware of:
1. Not knowing that they need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to ePHI, regardless of their position and how far removed they are from the covered entity, is in full scope now.
2. Lack of solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
3. Risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any controls that are in place need to be outlined.
4. Controlling the flow of ePHI data via mobile devices. While there is not a requirement within HIPAA that addresses mobile devices, iPads, iPhones, and Androids frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
5. Encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or translates as optional. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that are in place surrounding data that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged. We cannot stress enough how thorough this documentation should be. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.
We continue to see these issues every day. The bottom line is that organizations should thoroughly read through the new rules and engage with third-party vendors to make sure that they are covered and can avoid paying penalties. Those interested in exploring a third-party solution should ensure that their prospective vendor provides a suite of proven network security and compliance technologies, compliance data center policies and procedures, and round-the-clock analyst coverage to monitor and manage networks.
James D. Brown is responsible for overall product and services strategies, and architecture and implementation of StillSecure’s product suite. James has tremendous experience in both public and private cloud security and helped create the industry’s first comprehensive Cloud Security Services Platform that supports physical, virtual and multi-tenant environments. Brown has more than 20 years of experience in the network security, IT, telecommunications, and human resources industries.
Andrew Hicks, director, healthcare practice lead, Coalfire, has over 10 years of experience in IT governance including responsibilities specific to the IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance spaces. His experience and understanding of business processes and technology has allowed him to excel in the areas of policy development, internal control design and testing, project management, system development reviews, and risk mitigation.