While the leadership of the Department of Health and Human Services continues to take shape, the Office for Civil Rights has its eye on 21st Century Cures Act and how to implement it.

The law, which was signed Dec. 7, authorizes a litany of health care reform and research spending. It also authorizes HHS Secretary Tom Price to craft rules that will allow the sharing of protected health data for research purposes.

That means OCR and the Office of the National Coordinator for Health Information Technology will have to develop new rules and guidance for how the law bumps up against HIPAA in terms of privacy, and for the moment, both offices are embodied by Deven McGraw.

McGraw, OCR's deputy director of health information privacy and the acting chief privacy officer for ONC during the administration transition, addressed the Healthcare Information and Management Systems Society conference on Feb. 20 about the rules the offices will be looking to address in 2017.

"We have a lot of guidance that we are going to have to issue," she said. "There are lots of provisions that deal with accessing and sharing protected health information for research purposes."

The law will require both offices to examine a number issues of how the Cures Act will comply with HIPAA, including when it comes to addressing security barriers to information sharing and patient access rights.

Another wrinkle of the law that will require additional guidance is a measure that allows family members of patients with mental health issues to access treatment information.

"This is a topic on which we have issued guidance in the past, but we are continuing to get questions from entities about when they can share information about persons within a mental health context," McGraw said.

OCR is also expected to roll out additional guidance in 2017 related to the Health Information Technology for Economic and Clinical Health, or HITECH, Act.

As part of the 2009 law, McGraw said OCR will be unveiling new regulations establishing civil penalties for those affected by HIPAA violations.

"This has been on our regulatory agenda for quite some time," she said. "There’s not really a good model that already exists out there for this.

"We need to understand things like how can we administratively execute this. Giving out money to people is not something we are accustomed to doing. What qualifies as harm when there has been a violation of privacy and security rules?"

OCR will also be updating its Frequently Asked Questions on guidance for secure information sharing and clarifying HIPAA compliance through text messaging and social media.

McGraw added that while the regulations are in the works for 2017, their rollouts will be dependent on the completed appointment of HHS leadership.

Share:
In Other News
Load More