Summary of Changes to Questions Sets - Second Quarter 2010

We would like to notify you of changes that have been made to the ComplyTrack Risk Assessment questions in the Comprehensive Library for the Provider Baseline. As part of the Quarterly Review Process, the following Risk Assessments were reviewed this quarter:

In a notice published in the Federal Register on August 4, 2009, Kathleen Sebelius, Secretary of the Department of Health and Human Services delegated authority to the Director of the Office of Civil Rights over the HIPAA Security rules.  With this delegation, the OCR is responsible for interpreting and enforcing both the HIPAA Privacy and Security rules.  The OCR can now impose civil money penalties, issue subpoenas, and make exception determinations.  The delegation is effective immediately. See 74 FR 38630.

The July issue of Management Science contains a study that "quantifies the effect of state privacy regulation on the diffusion of electronic medical records." The study, by Amalia Miller, Department of Economics, University of Virginia and Catherine Tucker, MIT Sloan School of Management, Massachusetts Institute of Technology, found that "state privacy regulation restricting hospital release of health information reduces aggregate EMR adoption by hospitals by more than 24%."  To see the abstract, click

A recent article in HealthDay discusses an Institute of Medicine report on personal health information.  "The privacy of Americans' personal health information isn't adequately protected by existing federal government regulation, according to an Institute of Medicine report.  The Health Insurance Portability and Accountability Act (HIPAA) privacy rule also hinders important health research, the report's authors said.