Several Key Health IT Rules Under Review by OMB. Several Health IT regulations are now under review by the Office of Management and Budget (OMB). Typically, review by OMB is the final stage before a regulation is published. Regulations under review include: “Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” (a proposed rule from the Office for Civil Rights), “Administrative Simplification: Modifications to NCPDP Retail Pharmacy Standards (CMS-0056)” (a proposed rule from the Centers for Medicare & Medicaid Services (CMS)), and “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (a final rule from the Assistant Secretary for Technology Policy, Office of the National Coordinator for Health IT (ASTP ONC)). OMB has up to 90 days to review regulations.

OCR Imposes a $1.19 Million CMP on Provider for HIPAA Security Rule Violations. The Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty (CMP) against a pain medicine provider in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR initiated an investigation following the receipt of a breach report filed by the provider, which reported that a former contractor had impermissibly accessed its electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR found four violations by the provider of the HIPAA Security Rule, including failures to: (i) conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; (ii) implement procedures to regularly review records of activity in information systems; (iii) implement procedures to terminate former workforce members’ access to ePHI; and  (iv) implement procedures for establishing and modifying workforce members’ access to information systems. In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty (CMP). The provider waived its right to a hearing and did not contest OCR’s findings. Access the Notice of Proposed Determination here.

OIG Urges OCR to Increase Scope of Cybersecurity Audits. The Office of the Inspector General (OIG) released a report that raises issues with the effectiveness of OCR audits, guidance, and enforcement activities for ensuring the protection of electronic protected health information (ePHI). The OIG audit evaluated OCR’s program for performing periodic HIPAA audits, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report contended OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically, the report identified that: (i) OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and (ii) only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.

OIG recommended OCR enhance its HIPAA audit program, including expanding the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the HIPAA Security Rule, document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner, and define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited covered entities and business associates’ protections over ePHI and periodically review whether these metrics should be refined.

HL7 Da Vinci Project Releases HIPAA Exception Report. The Health Level Seven (HL7) Da Vinci Project has released its report to CMS describing how two organizations demonstrated the real-world impact of applying standard application program interfaces (APIs) to automate the prior authorization process. The report highlights the collaboration between Regence, a payer based in the Pacific Northwest, and MultiCare Health System, a provider based in Washington state, spent about a year testing and fine-tuning processes that leverage HL7’s Fast Healthcare Interoperability Resources (FHIR®) standard for APIs. The report details how the two organizations improved efficiency by using FHIR APIs for prior authorization data exchange and request processing. For example, using the APIs enabled MultiCare to achieve an improvement of 140% or more in the time it took to complete individual point-to-point transactions.

Sequoia Project Releases XP Vetting Process SOP. The Sequoia Project, as the Trusted Exchange Framework and Common Agreement™ (TEFCA™) Recognized Coordinating Entity® (RCE®), today released the new Exchange Purpose (XP) Vetting Process Standard Operating Procedure (SOP). This SOP was developed with input from the Policy and Technical Advisory Group, which includes representatives of the Qualified Health Information Networks® (QHINs™), as well as their Participants and Subparticipants, and the Assistant Secretary for Technology Policy (ASTP). 

Reminder: CMS Optimizing Care Delivery Virtual Event Dec. 12. CMS is hosting the 2024 Conference on Optimizing Health Care Delivery to Improve Patient Lives, taking place on December 12, 2024. CMS states this virtual conference will explore innovative ideas, lessons learned, and best practices that strengthen patient health care delivery and access to high quality care, by reducing administrative burdens that impact patients and the health care workforce. Registration is still open. The agenda is now posted, and additional information on the conference can be found here.

Reminder: ONC Developer Deadlines Approaching. The Real World Testing submission window closes on December 15, 2024. Developers with health IT modules certified to eligible Real World Testing criteria as of August 31, 2024, are required to submit a Real World Testing plan for 2025. Developers should check with their ONC-ACB to determine eligibility and learn more about their specific submission deadlines for this fall. Health IT developers will find further information on Real World Testing requirements on the following pages: Real World Testing Resource Guide and Real World Testing Webpage.

In addition, Certified Health IT developers must publish Service Base URL lists in a standardized FHIR® format by December 31, 2024, as required by the API Condition of Certification. The § 170.315(a)(9) Clinical decision support (CDS) criterion expires on December 31, 2024. Health IT developers planning to maintain conformance to the Base EHR Definition must update their Certified Health IT to § 170.315(b)(11) Decision support interventions by this deadline.

Study: Telehealth Can Reduce Suicide Attempts. In an article published in JAMA Network Open titled “Telehealth Brief Cognitive Behavioral Therapy for Suicide Prevention: A Randomized Clinical Tria,” the authors examine brief cognitive behavioral therapy (BCBT) for suicide prevention, suicide attempts, and suicidal ideation when delivered remotely via video telehealth. This was a randomized clinical trial of 96 US adults with recent suicidal ideation and/or suicidal behavior. The results of the study indicate that patients who received BCBT had significantly fewer suicide attempts during the 1-year follow-up vs patients who received present-centered therapy. Reductions in suicidal ideation occurred in both treatments with no significant differences between groups. The authors suggest that BCBT delivered via video telehealth is effective for reducing the risk of suicide attempts among adults with recent suicidal ideation and/or suicidal behavior.