HITECH Act and HHS: A full plate of deadlines

Robert Kolodner, the national coordinator for health information technology in the Department of Health and Human Services (HHS) recently spoke to attendees at the 2009 HIMSS Conference about the changes and deadlines that have come out of the HITECH Act.

Note: Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 are commonly referred to as the “Health Information Technology for Economic and Clinical Health Act” or “HITECH Act”.  The key amendments to the privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 are contained in Subtitle D of the HITECH Act.

There are number of key milestones facing HHS. 

By April 18th
HHS must issue guidance for how to render protected health information unusable if it is breached.

The phrase “how to render protected health information unusable if it is breached” sounds, well, bureaucratic. As technologists, we would ask what exactly does that mean? Alan S. Goldberg, Adj. Prof. of Health Law, George Mason University (www.healthlawyer.com) asks “Can PHI be unusable but readable and decipherable or must the information be unusable, unreadable, AND indecipherable or else it will be not secured; and regardless, what do these terms mean?

A very interesting reply from James Pyles,

Dear all;
I know a little about this language.
This language was inserted as a substitute for “encrypted” which some in the IT community thought was too restrictive and would not take into account future developments in technology, so it is intended to be disjunctive and generally meaning that if the information is improperly disclosed (or “breached”) it cannot be used, without extraordinary measures, to the damage the individual. Note in section 13402(h)(2) that the Secretary, “not later than the date that is 60 days after the date of enactment of this Act”, shall issue (and annually update) “guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals” including the standards developed under section 3002(b)(2)(B)(vi). The guidance would have to be out by April 18, by my count. 

So, in conclusion, we will be watching and waiting to hear exactly what “how to render protected health information unusable if it is breached” will mean for technology implementation as well as how an audit will access an organization’s ability to address this standard.

Here are some other interesting deadlines to watch for from Department of Health and Human Services (HHS). Stay tuned to your friendly neighborhood blog for more updates.

On May 18th
HHS must present to Congress its 2009 operating plans for implementing IT provisions.

By May 18th
Deadline for the HIT Standards Committee to develop a schedule for assessing recommendations to the HIT Policy Committee.

Interim final rules covering breach notification of personal health records data are due in August.

The 2010 operating plan for health IT initiatives is due to Congress in November.

By December
HHS must have interim final rules for initial sets of standards to support a national health information network.