FWIW: Any day I get to send an XKCD cartoon to a federal agency like CMS is a good day. #CMSRFI
I will share one though, on PC-10f (re: TEFCA)
f. Are there redundant standards, ... that should be consolidated?
There are always redundancies. QTF R1 is different from QTF R2, yet provides similar data, just at different granularity. Don’t try to consolidate standards. That just leads to:
So, what I'm actually doing right now is writing my responses to the #CMSRFI in a Word Document. I'll ship it out as BlueSky posts when I can. I do have some #HL7 #Connectathon stuff going on over the next two days, so probably towards the end of the week.
Commenting on the #CMSRFI is a little bit different than commenting on regulation. It's just a bunch of questions to respond to. I've gathered them up in a Google Doc you can download here: docs.google.com/document/d/1...
I've been doing regulatory tweet throughs of CMS and ASTP (formerly ONC) rules for years. Today, I'm doing the same for the CMS RFI on the Health Technology Ecosystem (see www.federalregister.gov/documents/20...) but on BlueSky first. The hashtag for this will be #CMSRFI.
Yeah! Something I've been working towards for the last 5 years is going to happen. That's it, that's the subtweet. Sorry I cannot say more. 🎉🥳🍾
PointClickCare's Dean Slawson talks about making AI Trustworthy.
www.healthcareittoday.com/2025/03/19/a...
I guess I've still got it. I was just notified that I'm on the FeedSpot Top 100 Healthcare Technology blogs. bloggers.feedspot.com/healthcare_t...
Our team needs an outstanding Senior Health IT Policy and Communications Manager to work with us. You will get to work with me and our highly skilled team of professionals who work with Federal, State and regional agencies in Healthcare IT.
Apply here: jobs.lever.co/pointclickca...
Are you attending #HIMSS25? Do you want to learn more about our Data Modernization tools? Catch up with me there, book a meeting via the HIMSS App, or through DMs here.
Today I got to use an Apple Vision Pro for like 30 minutes, and I came away with two, immediate thoughts right in a row:
1.)
“This is, without doubt, one of the most stunning new technologies I’ve ever used. Absolutely extraordinary.”
2.)
“I have absolutely zero uses for this in my work or life”
I passed the test. Was there ever any doubt? Yes, actually. It's a challenging credential to earn.
You could ask ChatGPT for a 500-word summary of the new #HIPAA NPRM or you could just read mine: motorcycleguy.blogspot.com/2025/01/hipa...
That's the end for now on my read of changes in #HIPAA. There will be more as I must do deeper analysis on at least 3 sections.
Finally, #HIPAA 164.320 Severability adds a clause that basically says:
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
#HIPAA 164.318 Transition was previously about Compliance deadlines & remains so, but in proposed rule, the text gets more convoluted and has to do with existing renewals and deeming compliance based on existing contracts. Get your lawyers to explain it, I'm not gonna.
#HIPAA 164.316 Documentation requirements is largely unchanged but somewhat restructured. The maintenance of documentation is strengthened from as needed to at least annually.
Which brings us to section 314 Organizational requirements. I would say this is largely unchanged except the new requirement that any time an organization activates its contingency plan it must notify the organization or group health plan it has a BAA with w/in 24 hours.
OK, #HIPAA Section 312 Technical Safeguards adds a lot of new content and is going to require deeper analysis.
Moving on to #HIPAA Section 310, Physical Safeguards
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
#HIPAA Section § 164.308 Administrative safeguards is very little like its predecessor, although I imagine it includes all of the requirements of that, plus a lot more.
I'm going to do a deeper review of the changes to #HIPAA 45 CFR 164.308 later.
In #HIPAA, § 164.306 Security standards: General rules is revised a bit, but mostly unchanged EXCEPT
(b)(2)(v) is added to require consideration effectiveness of the measure AND
(c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
Finally, 3 #HIPAA definitions changed:
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: includes "firmware" with more description of the intent or impact
Technical Safeguards: Clarified & included technical controls as a subtype
With respect to "Reasonably educated", that includes neither lawyers nor regulatory pedants. Both are over-educated and so might actually care about the improved text in #HIPAA
Some #HIPAA definitions were clarified, but not really functionally changed from the perspective of a reasonably educated person.
* Administrative safeguards
* Information System
* Password
* Physical Safeguards
* Security or Security Measures
* Security Incident
* Workstation
Definitions were added for the following key #HIPAA terms:
* Deploy
* Implement
* Multifactor authentication
* Risk
* Technical Controls
* Vulnerability
And then we get to Subpart C, which is the remainder of the #HIPAA proposed rule changes
First, the definitions get an update ...
In the proposed #HIPAA security rule, A minor change to 45 CFR 160.103 simplifies the text of but expands the definition for Electronic Media.
If you've been or catching up from hiding under a rock and getting back out from under after the holidays, there's a new #HIPAA Security Rule out for review.
www.federalregister.gov/documents/20...
Firing lasers… pew, pew, pew.
