The U.S. Food and Drug Administration today advised consumers not to use certain respiratory medications purchased after Sept. 8, 2009 and manufactured by Dey L.P., a subsidiary of Mylan Inc., because the medications might have been part of a shipment being transported on a tractor-trailer stolen in Tampa, Fla., on Sept. 8, 2009.

The respiratory medications, Ipratropium Bromide Inhalation Solution, 0.02%, and Albuterol Sulfate Inhalation Solution, 0.083%, unit-dose vials, have not been recovered and may be dangerous to use because the drugs may not have been stored and handled properly.

Dey issued an advisory on Sept. 11, 2009 regarding the theft. Although the FDA is not aware of any reports of adverse events, the agency is advising patients who use these respiratory medications to check to see if products received or purchased after Sept. 8, 2009 are from one of the following lots:

Albuterol Sulfate Inhalation Solution (892,000 doses; all lots contain 3.0 ml vials and display the brand name “Dey”)

• Lot number 9G04, NDC # 49502-697-29
• Lot number 9FD8, NDC # 49502-697-61
• Lot number 9FD9, NDC # 49502-697-61
• Lot number 9FE1, NDC # 49502-697-61

Ipratropium Bromide Inhalation Solution (432,000 doses; all lots contain 2.5 ml vials and display the brand name “Dey”)

• Lot number F09089, NDC # 49502-685-31
• Lot number C09119, NDC # 49502-685-62
• Lot number C09120, NDC # 49502-685-62

Do not use Albuterol Sulfate Inhalation Solution or Ipratropium Bromide Inhalation Solution if it is from one of these lots and was purchased or received after Sept. 8, 2009. Replace it with the same product from another lot.

Notify your health care professional of any adverse effects you may have experienced as a result of taking these medications.

Bring products from these lots back to the pharmacy where you received the medicine to exchange for products from a different lot or call Dey customer service at 800-527-4278. Contact your health care professional if you must switch to another product for any reason for possible dose adjustments.

The FDA is asking for the public’s help in reporting any information regarding the stolen Dey products to the FDA’s Office of Criminal Investigations (OCI) by calling 800-551-3989 or by visiting the OCI Web site (http://www.fda.gov/OCI).

Civil Monetary Penalties and Enforcement Expanded

The HITECH Act amends the civil monetary penalty (CMP) provisions for HIPAA violations to include tiered increases in amounts of CMPs as follows:

• Where a person “did not know,” at least $100, but no more than $50,000, for each such violation
• Where there was “reasonable cause” but no willful neglect, at least $100, but no more than $50,000, for each such violation
• If there was willful neglect, at least $10,000, but no more than $50,000, for each such violation

The new CMP provisions are effective and applicable immediately to all violations occurring from and after the date of enactment of the HITECH Act. Also, within three years after the enactment of the HITECH Act (February 17, 2012), the Secretary of the federal Department of Health and Human Services (DHHS) is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any CMP or monetary settlement collected with respect to such offense.

The HITECH Act also authorizes each state attorney general (AG) for the first time to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected a resident of the AG’s respective state. For any violation that occurs on or after February 17, 2009, state AGs are now authorized to obtain statutory damages on behalf of any such residents of their state in an amount equal to $100 for each violation of a single requirement, up to a total of $25,000 for violations of that requirement. Attorneys’ fees are also allowed to be collected by an AG for pursuing civil actions for HIPAA privacy and security violations.

Expanded Applicability

The HITECH Act now directly obligates business associates to comply with the HIPAA Security Rule’s administrative, physical and technical safeguard requirements, including developing and implementing comprehensive written security policies and procedures with respect to the protected health information (PHI) that they handle. Failure by business associates to abide by such requirements can result in CMPs being assessed directly against them.

In addition, any organization, with respect to a covered entity, that provides data transmission of PHI to such entity (or its business associate) and that requires access to PHI on a routine basis must now be treated as a business associate and enter into a HIPAA-compliant business associate agreement. Examples of such entities include Health Information Exchange Organizations, Regional Health Information Organizations, or “any vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record.” Where such entities would now be considered “business associates,” they then are also required to directly comply with the HIPAA Security Rule provisions, which the HITECH Act made directly applicable to business associates. It then follows that such organizations are now also directly subject to potential CMPs and statutory damages for violations.

New Privacy and Security Requirements

• Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outlets following the discovery of the breach.
• Complying with Requested Restrictions: Every covered entity must now comply with an individual’s requested restriction on how it uses and discloses the individual’s PHI if the disclosure is to a health plan for purposes of carrying out payment or health care operations, and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
• Minimum Necessary Disclosures: Within 18 months after the date of enactment of the HITECH Act (August 17, 2010), new guidance shall be issued governing what constitutes the “minimum necessary” for purposes of disclosures under the privacy rule. Covered entities must, when otherwise permitted, disclose only the “minimum necessary” to accomplish the intended purpose for such disclosure.
• Accounting of Disclosures with EHRs: Covered entities that use and disclose PHI through electronic health records (EHRs) are required to provide individuals with an accounting, when requested, for the prior three-year period. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations. Covered entities with EHRs may need to begin accounting for disclosures as early as January 1, 2011, depending on when they acquire and begin to use an EHR.
• Access Rights to Electronic Format: The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if they so request.
• Health Care Operations: The definition of “health care operations” will be reviewed by the Secretary of DHHS by August 17, 2010, and narrowed or clarified.
• Marketing: The HIPAA Privacy Rule is amended to limit when a covered entity may disclose PHI as part of a health care operation if it receives or has received direct or indirect payment in exchange for making such communication, except in specified circumstances.
• “Sale” of PHI: Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances, including research, public health activities, treatment of the individual, and in connection with the sale of a covered entity to a buyer of the business. The narrow list of exceptions are all subject to any additional restrictions that may be found in regulations regarding “sale of PHI” to be promulgated by the Secretary of DHHS no later than August 17, 2010. The effective date of the ban on the sale of PHI under the HITECH Act is six months after the date that the final regulations are promulgated.
• Effective Date: Unless otherwise specified, the effective date of all provisions is one year from the date of enactment of the HITECH Act, or February 17, 2010.

What Should Affected Entities Do?

At a minimum, affected entities that are already subject to HIPAA compliance should begin making the following changes:

• Update Notice of Privacy Practices to reflect changes in privacy and security policies
• Update HIPAA privacy and security policies accordingly
• Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
• Expand business associate lists to include vendors and others
• Update Business Associate Agreements to include expanded new requirements

What Should Entities that Have Not Previously Been Subject to HIPAA Do?

Entities that have not yet been subject to HIPAA compliance or have had limited compliance requirements under HIPAA should examine the new scope of HIPAA, as it may be applicable to them under the HITECH Act in order not to unintentionally become non-compliant.

Copper’s antimicrobial benefits have been known intuitively for thousands of years. Egyptians used copper to sterilize drinking water and wounds, and the Aztecs treated sore throats with copper.

“Back in Greek and Roman times, people used copper for several health-related applications,” said Jim Michel, manager of technical services for the Copper Development Association (CDA), New York, which spearheaded the campaign for copper’s antimicrobial status. “They didn’t know why, but they knew [copper] did something positive.”

Now, after extensive testing and negotiations, lead by Harold Michels, senior vice president for CDA, and more than a year waiting for a decision from EPA, copper can legally be associated with public health claims that are backed by science. According to the EPA registration, certain copper alloys:

* continuously reduce bacterial contamination, achieving 99.9% reduction within two hours of exposure;

* kill greater than 99.9% of bacteria within two hours of exposure;

* deliver continuous and ongoing antibacterial action, remaining effective in killing greater than 99.9% of bacteria within two hours, even after repeated wear and re-contamination;

* help inhibit the growth of bacteria within two hours of exposure before and after cleaning and sanitizing.

Copper’s antimicrobial properties are a supplement to standard infection control practices. Together, they can reduce the number of disease-causing bacteria found in hosptial rooms.

Prove It

In order to legally make public health claims related to antimicrobial copper alloys, a material must be registered with EPA. Some products, such as commercially available silver-ion coatings, are registered under a treated article exemption, which means the product only protects the item containing the antimicrobial ingredient (for example, fungicide) and not the user. But in order to make a public health claim, EPA-approved efficacy tests are required.

Certain antimicrobial gases and liquids, such as sterilizers, disinfectants and sanitizers, are all products that have been legally registered to make a public health claim. However, EPA didn’t have a template for CDA to follow when the organization first broached the possibility of registering copper as antimicrobial because the agency never before had given a solid surface material a public health registration under the Federal Insecticide, Fungicide and Rodenticide Act. The organization wanted to treat the prospect with caution.

“It was an unprecedented case,” Michel said. “We had to go through every step and negotiate the protocols. Initially, we had to determine what kind of evidence the EPA would accept.”

After several meetings, EPA approved three protocols. The required test results show that copper kills bacteria, that it stays effective at killing bacteria even after wet and dry abrasion (to prove that its antimicrobial property will not wear away), and that it continuously kills bacteria after repeated contamination.

The efficacy tests were conducted against five different kinds of bacteria in accord with EPA Good Laboratory Practices, which ensure that protocol were followed and facilitate EPA audits. The tests concluded that copper was effective in killing Methicillin-resistant Staphylococcus aureus (MRSA)–one of the most virulent strains of antibiotic-resistant bacteria and a common cause of hospital and community-acquired infections (Figs. 1-2). The other bacterium tested and approved were Escherichia coli O157:H7 (E coil), Pseudomonas aeruginosa, Staphylococcus aureus and Enterobacter aerogenes.

Next Steps

Copper’s antimicrobial properties should be particularly advantageous in applications where the surface is frequently touched key areas where disease-causing bacteria live. Initial prototype applications for copper components include IV poles and hospital hardware, such as door handles and chair arms.

The eventual applications are wide and varying, but it will require a change in what the health community perceives as clean and sanitary. Stainless steel is a popular material in hospitals for its clean look, and coatings are often used to achieve a bacteria fighting or neutralizing surface. But coatings wear off, and stainless steel showed no indications of antimicrobial properties in the tests conducted as part of copper’s EPA application.

Copper’s antimicrobial properties go beyond a surface coating, and provided the surface is clean, copper will continue to kill bacteria after wear and abrasion. To be effective, no other surface coating can be applied to copper parts to avoid tarnishing. Tarnished copper or bronze can look unsanitary, even when it isn’t, and this could lead to a perception problem. However, testing has shown that tarnished surfaces maintain their antimicrobial efficacy.

In many respects, the HITECH Act makes business associates de facto covered entities. They will now have to comply with many provisions in the Privacy and Security Rules that previously were only the concern of covered entities. This article summarizes the recent changes and how they may affect companies in their roles as business associates. The article describes the current law under the Privacy and Security Rules, the changes made by the HITECH Act, and the effect and brief course of action business associates should consider as part of their compliance plan. Unless otherwise noted, the compliance deadline for the new HIPAA requirements is February 17, 2010 (one year following ARRA’s enactment into law).

Business associates that have not been subject to HIPAA before must become familiar with the new changes in the HITECH Act or risk becoming inadvertently non-compliant and subject to stiff penalties. Companies should review and amend their existing policies and procedures, train staff members regarding the new changes, evaluate IT and encryption capabilities, and hire qualified legal counsel experienced with HIPAA.

Application of the Security Rule and Penalties to Business Associates

Current Law: The Security Rule includes three sets of safeguards that covered entities are required to implement: administrative, physical, and technical. Administrative safeguards include functions such as assigning security responsibilities to employees, maintaining security policies and procedures, and training staff. Physical safeguards are intended to protect electronic systems and data from physical threats, environmental hazards, and unauthorized access. Technical safeguards are primarily IT functions used to protect and control access to data, such as the use of passwords and having computers automatically log-off users after a certain length of inactivity. HIPAA permits business associates to create, receive, maintain or transmit electronic PHI on behalf of a covered entity, provided that the parties executed a business associate agreement, which states that the business associate will implement protections that reasonably and appropriately safeguard PHI. Violations cannot be enforced directly against business associates.

Change under the HITECH Act: The HITECH Act now obligates business associates to comply with the Security Rule’s administrative, physical, and technical safeguard requirements. Civil and criminal penalties for violating those standards now directly apply to business associates. Civil penalties for HIPAA violations have increased to a range of $100 to $50,000 per violation, with maximum penalties for additional violations in any one year ranging from $25,000 to $1,500,000. Also, the U.S. Department of Health and Human Services (“HHS”) is required to distribute portions of collected civil monetary penalties to the persons whose information was improperly disclosed or used, which could create a financial incentive for individuals to report suspected HIPAA violations.

The Effect on Business Associates: Business associates must comply with the Security Rule, including developing and implementing written security policies and procedures with respect to the electronic PHI they handle. Failure to abide by the Security Rule requirements subjects a business associate to severe fines. Note that the Security Rule includes “implementation specifications” and they are either “required” or “addressable.” Required implementation specifications must be implemented as set forth in the Security Rule and no variation is permitted. “Addressable” does not mean optional, but allows entities the flexibility to use alternative means when complying with the goal of the regulation.

Notification in the Case of a Breach

Current Law: HIPAA does not require covered entities or business associates to notify HHS or individuals of a privacy or security breach.

Change under the HITECH Act: Upon discovery of a breach of unsecured PHI under its control, a business associate is required to notify the covered entity, which then must notify the impacted individual. Notice of the breach must be provided to HHS and prominent media outlets serving a particular area if more than 500 individuals in that area are impacted. If the breach impacts fewer than 500 individuals, the covered entity involved would have to maintain a log of such breaches and submit it to HHS annually. Within 180 days of ARRA’s enactment, HHS is required to issue interim final regulations to implement this section. The provisions in the section would apply to breaches discovered at least 30 days after the regulations are published.

The Effect on Business Associates: Business associates should ensure that the electronic PHI they transmit is encrypted. Business associates should consider adopting internal procedures for reporting breaches and mitigating potential damages therefrom. Final regulations on how to implement this section are forthcoming from HHS.

Education of Health Information Privacy

Current Law: The Privacy Rule requires each covered entity to designate a privacy official for the development and implementation of its privacy policies and procedures.

Change under the HITECH Act: Within six months of ARRA’s enactment, HHS will designate a privacy advisor in each HHS Regional Office. The privacy advisor will offer education and guidance to covered entities and business associates regarding privacy and security rights and responsibilities. Within 12 months of ARRA’s enactment, the HHS Office of Civil Rights (“OCR”) must develop and maintain a national education program to educate the public about privacy rights and the use of PHI.

The Effect on Business Associates: While there is nothing required of business associates under this section of the HITECH Act, companies should consider appointing someone as a privacy and security officer who will coordinate HIPAA compliance. Also, if business associates need to contact the HHS Regional Office, the contact information can be found here: http://www.hhs.gov/about/regions/.

Application of Privacy Provisions and Penalties to Business Associates

Current Law: Under the Privacy Rule, a covered entity may disclose PHI to a business associate if the parties execute a business associate agreement requiring the business associate to appropriately safeguard PHI. Violations cannot be enforced directly against business associates.

Change under the HITECH Act: Business associates can incur civil and criminal penalties for violating the terms of business associate agreements.

The Effect on Business Associates: Business associates should ensure that they comply with their current and future business associate agreements and the privacy provisions therein. Business associates should review the terms of these agreements to confirm that they have taken all necessary steps to comply with them.

Accounting of Certain PHI Disclosures

Current Law: Individuals have the right to an accounting of PHI disclosures by a covered entity during the previous six years, with certain exceptions. For example, a covered entity is not required to account for disclosures that have been made to carry out treatment, payment, and health care operations.

Change under the HITECH Act: An individual now has the right to receive an accounting of PHI disclosures made by covered entities and business associates for treatment, payment, and health care operations during the previous three years, if the disclosures are made through an electronic health record. The effective dates for compliance vary depending upon when the covered entity or business associate receives the electronic health record.

The Effect on Business Associates: For each electronic health record, business associates will have to maintain information that could be used if an individual requests an accounting of disclosures. This means that business associates will need a system in place to record what is disclosed, when and to whom. The effective date of this requirement varies: (1) As for electronic health records acquired as of January 1, 2009, it must keep an accounting of disclosures made on or after January 1, 2014. (2) In the case of electronic health records acquired after January 1, 2009, it must keep an accounting of disclosures made on or after (a) January 1, 2011; or (b) the date that it acquires the electronic health record. HHS may postpone the effective dates to be no later than 2016 for (1) above and no later than 2013 for (2) above.

Improved Enforcement

Current Law: HIPAA authorizes HHS to impose civil monetary penalties for HIPAA non-compliance. The maximum civil fine is $100 per violation, up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. Civil monetary penalties may not be imposed in certain instances, including when the violation is a criminal offense under HIPAA’s criminal penalty provisions. In cases of certain wrongful disclosures of PHI, the OCR may refer the case to the U.S. Department of Justice for criminal prosecution. HIPAA’s criminal penalties include fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining PHI with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.

Changes under the HITECH Act: HIPAA is amended to permit OCR to pursue an investigation and impose civil monetary penalties against any individual for an alleged criminal violation of the Privacy and Security Rules even if the Justice Department does not prosecute the individual. In addition, HIPAA is amended to require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect. HHS is required to issue regulations to implement these amendments within 18 months of ARRA’s enactment. Within three years of ARRA’s enactment, HHS is required to establish a methodology to distribute a percentage of collected penalties to harmed individuals. Finally, state Attorney Generals are now authorized to bring civil actions in federal district court against individuals who violate HIPAA in order to enjoin further violations. OCR may still use corrective action without a penalty in cases where the person did not know, and by exercising reasonable diligence would not have known, about the violation.

The Effect on Business Associates: Business associates are now on notice that state and federal authorities have greater authority to bring civil and criminal actions against all individuals who violate HIPAA’s requirements.

Compliance Audits

Current Law: HHS is authorized to conduct compliance reviews to determine whether covered entities are complying with HIPAA standards.

Changes under the HITECH Act: HHS is now required to perform periodic audits to ensure that covered entities and business associates are complying with HIPAA.

The Effect on Business Associates: Business associates are now on notice that HHS is not just authorized, but is required to conduct compliance audits of covered entities and business associates.

Business associates that previously were not subject to HIPAA must now be cognizant of the changes included in the HITECH Act. Impacted companies must develop a plan to comply with most of the new changes by February 17, 2010.

First, the Philips HeartStart MRx monitor/defibrillator enables paramedics to wirelessly transmit vital 12-lead electrocardiogram (ECG) data on the heart’s condition while en route to the hospital. Once this data is received, caregivers move into action, preparing the catheterization (cath) lab before the patient arrives. Philips informatics solutions throughout the D2B care cycle deliver instant access to and seamless sharing of clinical information throughout the hospital. Inside the emergency department and cath lab, Philips cardiovascular imaging equipment helps clinicians pinpoint issues in the heart and allows for confidently planned and executed interventional procedures. 

Some of these advanced solutions are helping the community of Glendale, Arizona save valuable time for critical STEMI patients. Outfitted with a HeartStart MRx in every fire engine, the Glendale Fire Department utilizes the innovative pre-hospital triaging technology when a patient displays symptoms consistent with STEMI. 

“HeartStart MRx has reduced D2B times, as previously we would have to obtain the 12-lead ECG inside the hospital and wait for a decision on next treatment steps,” said Daniel Wintrow, captain and paramedic with the Glendale Fire Department. “Now, our paramedics are able to send digital quality 12-lead ECG data to the hospital while in transit, which can dramatically cut down on time and help physicians make decisions about appropriate care before arrival.” For more information about Philips AEDs log onhttp://www.promedicalonline.com/productcart/pc/viewCategories.asp?idCategory=64