Mid-week update

The Administration announced today, according to the Washington Post, that it will no longer defend the Defense of Marriage Act in court. The FEHB Act extends self and family coverage to the enrollee's spouse. The Defense of Marriage Act, which was enacted in 1996, requires the word "spouse" when found in a federal statute to mean an a person of the opposite sex.

Last year, a federal court in Massachusetts, one of the small number of states where same sex marriages currently may be performed, held the Defense of Marriage Act to be unconstitutional in the context of FEHB Program self and family coverage. The court stayed the enforcement of its decision pending an appeal. Both sides appealed but now the federal government presumably will dismiss its appeal. The FEHBlog expects that OPM will be issuing guidance soon.

Bear in mind that the FEHBlog expects that this action will lead to coverage of same sex spouses, but not same sex domestic partners who are not legally married. Senator Joe Lieberman (I Conn.) sponsored a bill in the last Congress to extend FEHB Program coverage to those folks.

Health Data Management reports that HHS soon will be issuing as a package final changes to the HIPAA Privacy Rule, the HIPAA Security Rule and the nationwide unsecured protected health information breach rule in accordance with the HITECH Act of 2009.

Some of the key changes the Office for Civil Rights is seeking:
* If patients ask for their treatment information, and it’s not in a readily available format they requested, the default will be to provide them direct electronic access to that information.
* If patients want restrictions how what data is shared among health care entities (Greene used an example of a patient who didn’t want treatment information he paid for out-of-pocket to be sent to a health insurer) then EHRs must be able to handle those restrictions.
 * Business associates can be held directly liable for privacy and security rules (240 days after the final rules are issued). Business associates already can be found directly liable under the breach notification rule. In addition, subcontractors will be held to the same liability as business associates.
* In accounts of disclosures of patient information, treatment, payment and health care operations information must be tracked and disclosed.

Ihealthbeat reports on a super sized $4.3 million civil penalty -- authorized under the HITECH Act -- that HHS imposed on Cignet Health, a Maryland healthcare provider, which had failed to comply with the record disclosure requests of 41 patients. (That's an individual rights violation under the HIPAA Privacy Rule, not a privacy or security breach.) According to the Washington Post, This is the first civil penalty levied under the HITECH Act but it certainly won't be the last.

Finally, the Chicago Tribune reports on a drug shortage that U.S. hospitals are experiencing.  "Part of the shortage is being caused by manufacturing issues and quality-control problems at a number of companies that include Lake Forest-based Hospira Inc., one of the primary makers of generic injectable prescription medicines, as they respond to the federal government's crackdown on drug safety."