New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth


The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

Can Artificial Intelligence Assist with Cybersecurity Management?

AI has great capability to both harm and to protect in a cybersecurity context. As with the development of any new technology, the benefits provided through correct and successful use of AI are inevitably coupled with the need to safeguard information and to prevent misuse.

Using AI for good – key themes from the European Union Agency for Cybersecurity (ENISA) guidance

ENISA published a set of reports earlier last year focused on AI and the mitigation of cybersecurity risks. Here we consider the main themes raised and provide our thoughts on how AI can be used advantageously*.

Using AI to bolster cybersecurity

In Womble Bond Dickinson’s 2023 global data privacy law survey, half of respondents told us they were already using AI for everyday business activities ranging from data analytics to customer service assistance and product recommendations and more. However, alongside day-to-day tasks, AI’s ‘ability to detect and respond to cyber threats and the need to secure AI-based application’ makes it a powerful tool to defend against cyber-attacks when utilized correctly. In one report, ENISA recommended a multi-layered framework which guides readers on the operational processes to be followed by coupling existing knowledge with best practices to identify missing elements. The step-by-step approach for good practice looks to ensure the trustworthiness of cybersecurity systems.

Utilizing machine-learning algorithms, AI is able to detect both known and unknown threats in real time, continuously learning and scanning for potential threats. Cybersecurity software which does not utilize AI can only detect known malicious codes, making it insufficient against more sophisticated threats. By analyzing the behavior of malware, AI can pin-point specific anomalies that standard cybersecurity programs may overlook. Deep-learning based program NeuFuzz is considered a highly favorable platform for vulnerability searches in comparison to standard machine learning AI, demonstrating the rapidly evolving nature of AI itself and the products offered.

A key recommendation is that AI systems should be used as an additional element to existing ICT, security systems and practices. Businesses must be aware of the continuous responsibility to have effective risk management in place with AI assisting alongside for further mitigation. The reports do not set new standards or legislative perimeters but instead emphasize the need for targeted guidelines, best practices and foundations which help cybersecurity and in turn, the trustworthiness of AI as a tool.

Amongst other factors, cybersecurity management should consider accountability, accuracy, privacy, resiliency, safety and transparency. It is not enough to rely on traditional cybersecurity software especially where AI can be readily implemented for prevention, detection and mitigation of threats such as spam, intrusion and malware detection. Traditional models do exist, but as ENISA highlights they are usually designed to target or’address specific types of attack’ which, ‘makes it increasingly difficult for users to determine which are most appropriate for them to adopt/implement.’ The report highlights that businesses need to have a pre-existing foundation of cybersecurity processes which AI can work alongside to reveal additional vulnerabilities. A collaborative network of traditional methods and new AI based recommendations allow businesses to be best prepared against the ever-developing nature of malware and technology based threats.

In the US in October 2023, the Biden administration issued an executive order with significant data security implications. Amongst other things, the executive order requires that developers of the most powerful AI systems share safety test results with the US government, that the government will prepare guidance for content authentication and watermarking to clearly label AI-generated content and that the administration will establish an advanced cybersecurity program to develop AI tools and fix vulnerabilities in critical AI models. This order is the latest in a series of AI regulations designed to make models developed in the US more trustworthy and secure.

Implementing security by design

A security by design approach centers efforts around security protocols from the basic building blocks of IT infrastructure. Privacy-enhancing technologies, including AI, assist security by design structures and effectively allow businesses to integrate necessary safeguards for the protection of data and processing activity, but should not be considered as a ‘silver bullet’ to meet all requirements under data protection compliance.

This will be most effective for start-ups and businesses in the initial stages of developing or implementing their cybersecurity procedures, as conceiving a project built around security by design will take less effort than adding security to an existing one. However, we are seeing rapid growth in the number of businesses using AI. More than one in five of our survey respondents (22%), for instance, started to use AI in the past year alone.

However, existing structures should not be overlooked and the addition of AI into current cybersecurity system should improve functionality, processing and performance. This is evidenced by AI’s capability to analyze huge amounts of data at speed to provide a clear, granular assessment of key performance metrics. This high-level, high-speed analysis allows businesses to offer tailored products and improved accessibility, resulting in a smoother retail experience for consumers.

Risks

Despite the benefits, AI is by no-means a perfect solution. Machine-learning AI will act on what it has been told under its programming, leaving the potential for its results to reflect an unconscious bias in its interpretation of data. It is also important that businesses comply with regulations (where applicable) such as the EU GDPR, Data Protection Act 2018, the anticipated Artificial Intelligence Act and general consumer duty principles.

Cost benefits

Alongside reducing the cost of reputational damage from cybersecurity incidents, it is estimated that UK businesses who use some form of AI in their cybersecurity management reduced costs related to data breaches by £1.6m on average. Using AI or automated responses within cybersecurity systems was also found to have shortened the average ‘breach lifecycle’ by 108 days, saving time, cost and significant business resource. Further development of penetration testing tools which specifically focus on AI is required to explore vulnerabilities and assess behaviors, which is particularly important where personal data is involved as a company’s integrity and confidentiality is at risk.

Moving forward

AI can be used to our advantage but it should not been seen to entirely replace existing or traditional models to manage cybersecurity. While AI is an excellent long-term assistant to save users time and money, it cannot be relied upon alone to make decisions directly. In this transitional period from more traditional systems, it is important to have a secure IT foundation. As WBD suggests in our 2023 report, having established governance frameworks and controls for the use of AI tools is critical for data protection compliance and an effective cybersecurity framework.

Despite suggestions that AI’s reputation is degrading, it is a powerful and evolving tool which could not only improve your business’ approach to cybersecurity and privacy but with an analysis of data, could help to consider behaviors and predict trends. The use of AI should be exercised with caution, but if done correctly could have immeasurable benefits.

___

* While a portion of ENISA’s commentary is focused around the medical and energy sectors, the principles are relevant to all sectors.

Privacy Tip #335 – Health Care Sector Continues to Be Hit with Ransomware

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Recent IT Outsourcing Study Finds Continued Growth Led by Large Organizations

A recently released study assessing current trends in the use of IT outsourcing found that spending on IT outsourcing is rising at a rate in step with IT operational budgets as a whole, led by large organizations (those with IT operating budgets of $20 million or greater) that spend 7.8% of their IT budgets on outsourcing at the median. The study’s findings also highlight a number of trends within organizations’ IT outsourcing priorities:

  • Shifting Trends in Some IT Outsourcing Functions. The study found that the outsourcing of some IT functions is growing, while outsourcing of other functions is shrinking. For example, more organizations are outsourcing IT security, e-commerce systems, and application hosting, while fewer organizations are outsourcing help desk, desktop support, and application maintenance functions.

  • Continued Growth of Software as a Service. Application hosting was the most frequently outsourced IT function identified in the study. It found that 65% of organizations that currently outsource application hosting intend to increase the amount of work outsourced for that function.

  • Outsourcing Versus In-House. Among organizations that outsource IT functions, the study showed help desk and web/e-commerce operations were the IT functions with the largest percentage of work moved to outside service providers. Application hosting and IT security were the IT functions for which organizations tend to perform the most work in-house.

  • Potential for Cost Savings and Value. Among the functions examined by the study, outsourcing of disaster recovery and desktop support were found to have the greatest potential for reducing costs. The outsourcing of web/e-commerce, desktop support, disaster recovery, and IT security were found to deliver the best overall value for organizations by saving money and improving service levels

Copyright © 2015 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Contract Corner: Key Considerations in Understanding and Negotiating IT Agreements

When entering into IT agreements with vendors, it is important to understand the type of agreement being negotiated, the services being provided, and who will be using the services within your organization. The category of “IT agreements” generally includes cloud application agreements, service agreements, installed applications, and online presence management. When negotiating IT agreements, the legal team should work closely with the business and IT teams to ensure that the correct level of importance is placed on the agreement and that provisions are added or revised in a way that clarifies the parties’ responsibilities in connection with the services being provided and also addresses the potential unwinding of the relationship. To provide maximum clarity and flexibility in connection with purchased IT services, consider the following key provisions when negotiating IT agreements:

  • Performance Standards (or “teeth”)

    Performance standards are critically important, but it is difficult to know where standards should be set and what services are most critical without consulting with your IT group. The IT group can help determine how critical the services are and build appropriate performance standards around the applicable services. Types of performance standards include quality assurance, service levels and credits (which often include measurement and monitoring and notice of performance issues), and customer satisfaction surveys.

  • Term

    Consider the benefits versus the risks of including a long multiyear initial term and automatic renewal terms. Vendors love a long term and often offer pricing concessions to lock in long terms, but a long term can significantly increase risk to the customer if the relationship goes south. Some companies prefer automatic renewal because there is less paperwork, but others view automatic renewal as another milestone that needs to be managed and a potential risk if the relationship with the vendor is strained.

  • Termination and Termination Assistance

    Consider including a termination for convenience clause. Termination for convenience provides an easier mechanism for unwinding a deal when a vendor is not knocking it out of the park, especially if the vendor’s obligations are not clear. Customers should also strongly consider negotiating for termination assistance services to further mitigate the risks associated with unwinding an unsatisfactory deal. If the IT services include storage or processing of customer data, termination assistance provisions should include return and migration of customer data and require the current vendor to cooperate with the new vendor. Specific disengagement plans can be negotiated up front if necessary.

  • Data Protection

    Language should be added to protect all data provided in connection with the use of the services. This language can include security obligations (remember, this is not insurance), obligations to mitigate or cover the costs associated with data breaches, a duty to notify, and rights to audit and review security representations.

  • Proprietary Rights

    If proprietary rights are important to the agreement—for instance, if a vendor is developing new technology or using important customer technology—make sure that the contractual language around proprietary rights clearly states who owns the core technology and any improvements, interfacing elements, and data.

  • Cyber-Liability Insurance

    Add provisions that require the vendor to maintain adequate cyber-liability insurance, especially if the vendor is storing or processing customer data.

  • Representations and Warranties

    Consider adding situational representations and warranties (e.g., PCI compliance or EU Data Privacy compliance) applicable to particular services being provided, in addition to standard representations and warranties for IT agreements, such as conformance with specifications. For each representation and warranty, consider the remedy that should apply in the event that it is breached.

  • Indemnification

    The vendor should agree, at minimum, to indemnify the customer for third-party claims related to the services being provided.

  • Limitation of Liability

    If the vendor negotiates for a limitation of liability provision, make sure appropriate exclusions for confidentiality, data breach, and indemnification are negotiated. It is also important for these exclusions to be carved out of standard limitations on indirect, special, and consequential damages, because many of the losses associated with confidentiality, data breaches, and indemnification claims might otherwise be barred by such provisions.

Copyright © 2015 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

Mcdermott Will Emery Law Firm

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards.  The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.  OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates.  In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Phase 1 Audit Findings

OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:

  • There were no findings or observations for only 11% of the covered entities audited;
  • Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;
  • The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
  • Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;
  • Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and
  • Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards

The Phase 2 Audit Program

Selection of Phase 2 Audit Recipients

Unlike the Phase 1 Audit Program, which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  OCR has randomly selected a pool of 550–800 covered entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses.  OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer.  The survey will address organization size measures, location, services and contact information.  Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits.  OCR intends to select a wide range of covered entities and will conduct the audits between October 2014 and June 2015.

OCR will notify and send data requests to the 350 selected covered entities this fall.  The data requests will ask the covered entities to identify and provide contact information for their business associates.  OCR will select the business associates that will participate in the Phase 2 Audits from this pool.

Audit Process

OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards.  OCR will initiate the Phase 2 Audits of covered entities by sending the data requests this fall and then initiate the Phase 2 Audits of business associates in 2015.

Covered entities and business associates will have two weeks to respond to OCR’s audit request.  The data requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation.  OCR will only consider current documentation that is submitted on time.  Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review.

Unlike the Phase 1 Audits, OCR will conduct the Phase 2 Audits as desk reviews with an updated audit protocol and not on-site at the audited organization.  OCR will make the Phase 2 Audit protocol available on its website so that entities may use it for internal compliance assessments.

The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including:  risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; Privacy Standards’ reasonable safeguards requirement; training to policies and procedures; device and media controls; and transmission security.  OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits.  Phase 2 Audits of business associates will focus on risk analysis and risk management and breach reporting to covered entities.

OCR will present the organization with a draft audit report to allow management to comment before it is finalized.  OCR will then take into account management’s response and issue a final report.

What Should You Do to Prepare for the Phase 2 Audits?

Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

  • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment);
  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion;
  • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests;
  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;
  • Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not only a website privacy notice;
  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI;
  • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties;
  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);
  • Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented the risk analysis supporting the decision not to employ encryption;
  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and
  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)
ARTICLE BY

Of:

Proposed Health Information Technology Strategy Aims to Promote Innovation

Sheppard Mullin 2012

On April 7, 2014, the Food and Drug Administration (FDA), in consultation with theOffice of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC) released a draft report addressing a proposed strategy and recommendations on an “appropriate, risk-based regulatory framework pertaining to health information technology.”

This report, entitled “FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework”, was mandated by Section 618 of the Food and Drug Administration and Innovation Act, and establishes a proposed blueprint for the regulation of health IT.  The FDA, ONC and FCC (the Agencies) noted that risk and controls on such risk should focus on health IT functionality, and proposed a flexible system for categorizing health IT and evaluating the risks and need for regulation for each category.

The Agencies set out four key priority areas: (1) promote the use of quality management principles, (2) identify, develop, and adopt standards and best practices, (3) leverage conformity assessment tools, and (4) create an environment of learning and continual improvement.

The Agencies are seeking public comment on the specific principles, standards, practices, and tools that would be appropriate as part of this regulatory framework.  In addition, the Agencies propose establishing a new Health IT Safety Center that would allow reporting of health IT-related safety events that could then be disseminated to the health IT community.

The Agencies also divided health IT into three broad functionality-based groups: (1) administrative, (2) health management, and (3) medical device. The Agencies noted that health IT with administrative functionality, such as admissions, billing and claims processing, scheduling, and population health management pose limited or no risk to the patient, and as a result no additional oversight is proposed.

Health IT with health management functionality, such as health information and data exchange, data capture and encounter documentation, provider order entry, clinical decision support, and medication management, would be subject the regulatory framework proposed in the report.  In addition, the FDA stated that a product with health management functionality that meets the statutory definition of a medical device would not be subject to additional oversight by the FDA.

The report had a spotlight on clinical decision support (CDS), which provides health care providers and patients with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and health care.  The report concluded that, for the most part, CDS does not replace clinicians’ judgment, but rather assists clinicians in making timely, informed, higher quality decisions.  These functionalities are categorized as health management IT, and the report believes most CDS falls into this category.

However, certain CDS software – those that are medical devices and present higher risks – warrant the FDA’s continued focus and oversight.  Medical device CDS includes computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, radiation treatment planning, robotic surgical planning and control, and electrocardiography analytical software.

The FDA intends to focus its oversight on health IT with medical device functionality, such as described above with respect to medical device CDS.  The Agencies believe that this type of functionality poses the greatest risk to patient safety, and therefore would be the subject of FDA oversight.  The report recommends that the FDA provide greater clarity related to medical device regulation involving health IT, including: (1) the distinction between wellness and disease-related claims, (2) medical device accessories, (3) medical device CDS software, (4) medical device software modules, and (5) mobile medical apps.

The comment period remains open through July 7, 2014, and therefore the report’s recommendations may change based on comments received by the Agencies. In the meantime, companies in the clinical software and mobile medical apps industry should follow the final guidance recently published by the FDA with respect to regulation of their products.

In the meantime, health information technology companies should follow the final guidance recently published by the FDA with respect to regulation of their products.

Article By:

Of:

Getting Lawyers Up to Speed: The Basics for Understanding ITIL®

Morgan Lewis logo

As more clients use ITIL®—a standard for best practices in providing IT services—IT lawyers who are unfamiliar with the standard should familiarize themselves with its basic principles. This is particularly important as clients are integrating ITIL terminology and best practices (or modified versions thereof) into their service delivery and support best practices as well as the structure and substantive provisions of their IT outsourcing and services contracts.

Most IT professionals are well versed in ITIL and its framework. They will introduce the concepts into statements of work and related documents with the expectation that their lawyers and sourcing professionals understand the basics well enough to identify issues and requirements and negotiate in a meaningful way.

With this in mind, it is time for IT lawyers and sourcing professionals to get up to speed. Below are some of the basics to get started:

  • ITIL—which stands for the “Information Technology Infrastructure Library”—is a set of best practice publications for IT service management that are designed to provide guidance on the provision of quality IT services and the processes and functions used to support them.
  • ITIL was created by the UK government almost 20 years ago and is being adopted widely as the standard for best practice in the provision of IT services. The current version of ITIL is known as the ITIL 2011 edition.
  • The ITIL framework is designed to cover the full lifecycle of IT and is organized around five lifecycle stages:
    1. Service strategy
    2. Service design
    3. Service transition
    4. Service operation
    5. Continual service improvement
  • Each lifecycle stage, in turn, has associated common processes. For example, processes under the “service design” stage include:
    1. Design coordination
    2. Service catalogue management
    3. Service level management
    4. Availability management
    5. Capacity management
    6. IT service continuity management
    7. Information security management systems
    8. Supplier management
  • The ITIL glossary defines each of the lifecycle stages and each of the covered processes.

ITIL® is a registered trademark of AXELOS Limited.

Of:

Tri-Agency Health Information Technology Report Issued

MintzLogo2010_Black

On Thursday, April 3rd, the three federal agencies charged with regulating components of health information technology (“Health IT”) issued their long-awaited Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (the “Report”).  The Report seeks to develop a strategy to address a risk-based regulatory framework for health information technology that promotes innovation, protects patient safety, and avoids regulatory duplication.

Congress mandated the development of the Report as part of the 2012 Food and Drug Administration Safety and Innovation Act, requiring the Food and Drug Administration (“FDA”), the Office of the National Coordinator for Health Information Technology (“ONC”), and the Federal Communications Commission (“FCC”) to coordinate their efforts to regulate Health IT.  Notably, the Report identifies and distinguishes between three types of Health IT: (i) health administration Health IT, (ii) health management Health IT, and (iii) medical device Health IT.

The recommendations in the Report include continued interagency cooperation and collaboration, the creation of a public-private safety entity—the Health IT Safety Center—and a risk based approach to the regulation of Health IT.  The Report emphasizes that the functionality of Health IT and not the platform for the technology (mobile, cloud-based, or installed software) should drive the analysis of the risk and the regulatory controls on Health IT.

In very good news for the Health IT community, the Report included a recommendation that, “no new or additional areas of FDA oversight are needed.”  The report emphasized that even if the functionality of health management Health IT meets the statutory definition of a medical device, the FDA will not focus its oversight attention in this area.  The Report gives additional guidance on clinical decision support (“CDS”) tools, clarifying that a number of CDS tools can be categorized as health management Health IT and do not require further regulation by FDA.  However, the Report noted that certain types of CDS tools that are currently regulated as medical devices by the FDA would continue to be so regulated.  These FDA-regulated CDS tools include computer aided detection and diagnostic software and robotic surgical planning and control tools.

The agencies intend to convene a public meeting on the proposed strategy within 90 days and to finalize the Report based on public input.

Of:

Ellen L. Janos

By:

Final health IT innovators win funding for cancer treatment apps

Recently posted in the National Law Review an article by U.S. Department of Health & Human Services regarding Cancer Treatment Apps Funding for Health IT Innovators:

Innovative winners of an HHS public data and cancer challenge have created health IT applications that use public data

Ask Dory! – submitted by Chintan Patel, Ph.D.; Sharib Khan, M.D., M.A., M.P.H.; and Aamir Hussain of Applied Informatics LLC – helps patients find information about clinical trials for cancer and other diseases, integrating data from www.ClinicalTrials.gov and making use of an entropy-based, decision-tree algorithm.  A functional demonstration of the application is available at http://Dory.trialx.com .and existing technology to help patients and health care professionals prevent, detect, diagnose and treat cancer. The two winners presented their submissions during a special symposium today at the Hawaii International Conference on Systems Sciences and were each awarded $20,000 by the Office for the National Coordinator for Health Information Technology (ONC).  The two winning applications include:

  • My Cancer Genome – submitted by Mia Levy, Ph.D., M.D., of the Vanderbilt University Medical Center – provides therapeutic options based on the individual patient’s tumor gene mutations, making use of the NCI’s physician data query clinical trial registry data set and information on genes being evaluated in therapeutic clinical trials.  The app is in operation at www.MyCancerGenome.org .

Information on the four semifinalist teams can be found at http://go.USA.gov/5DA.

With the support of the National Cancer Institute, part of the National Institutes of Health, ONC launched the “Using Public Data for Cancer Prevention and Control: From Innovation to Impact” challenge this summer in support of ONC’s Investing in Innovation (i2) program. The i2 program utilizes prizes and challenges to facilitate innovation and obtain solutions to intractable health IT problems.  Aligned with the Obama administration’s innovation agenda, i2 is the first federal program to operate under the authority of the America COMPETES Reauthorization Act.

“What makes these health IT challenges so powerful is their ability to catalyze the expertise and creativity of innovators both in and out of health care,” said Wil Yu, ONC’s special assistant for innovations.  “We seek breakthrough solutions to nuanced issues; some are ready for the marketplace and some are prototypes, but all will have a great potential to benefit Americans.  Ask Dory and My Cancer Genome are examples of results that innovation challenges can incentivize and deliver – we’re really excited to see their impact.”

For additional details on the “Using Public Data for Cancer Prevention and Control” challenge, visitwww.Health2Challenge.org/using-public-data-for-cancer-prevention-and-control-from-innovation-to-impact-2 .

For additional information about ONC or on the Investing in Innovation (i2) program, visit http://HealthIT.gov.

© Copyright 2011 U.S. Department of Human & Health Services