ORLANDO – At a HIMSS11 workshop held Sunday, HIMSS Privacy Director Lisa Gallagher and other experts tried to set the record straight on the federal breach notification rules.
The Department of Health and Human Services (HHS) withdrew a final breach notification rule last July, for reasons that are not known to the public, Gallagher said. There is no projected date for when the final rule will come out, but in the meantime, privacy officers need to keep in mind that the interim rule is still in effect. “There has been a lot of confusion in the industry about that,” she said.
According to Gallagher, the interim final breach notification rule requires providers to notify all individuals who have been affected by a breach within 60 days. If more than 500 individuals have been affected, the organization must notify a major media outlet and report the breach to HHS.
[See also: Report: More than 6M affected since breach notification rule]
Providers should keep in mind that more than 75 percent of breaches are the result of the loss of a portable device, Gallagher said. Requests for portable devices from staff is an area that should be taken very seriously she said.
Privacy officers are also grappling with HITECH’s meaningful use requirements. For the meaningful use Stage 1, there is only one requirement, Gallagher said. Organizations must have an ongoing risk management plan and they must attest to that formally to the federal government.
[See also: Top 7 trends in health information privacy for 2011]
The Office of the National Coordinator for Health Information Technology is currently taking comments on a draft of measures required for Stages 2 and 3, which currently contain no privacy requirements. This does not mean there will be no privacy requirements in those stages, Gallagher said.
Industry privacy experts are eagerly awaiting regulations from the Office for Civil Rights (OCR), mandated under HITECH to be enforcers of patient privacy. OCR audits are a dreaded concern to most providers, who want to know more about what to expect, she said. A Notice of Proposed Rulemaking is expected out by OCR next month, Gallagher said. “Please take a look at it,” she told attendees. “It will have a huge impact on your organization.”
