Keith W. Boone
@motorcycle-guy.bsky.social
A.k.a., motorcycle_guy on Twitter and @MotorcycleGuy@med-mastodon.com Patient, Standards Guru for @PointClickCare, threads represent my opinions.
I will share one though, on PC-10f (re: TEFCA)
f. Are there redundant standards, ... that should be consolidated?
There are always redundancies. QTF R1 is different from QTF R2, yet provides similar data, just at different granularity. Don’t try to consolidate standards. That just leads to:
f. Are there redundant standards, ... that should be consolidated?
There are always redundancies. QTF R1 is different from QTF R2, yet provides similar data, just at different granularity. Don’t try to consolidate standards. That just leads to:
June 3, 2025 at 12:13 PM
I will share one though, on PC-10f (re: TEFCA)
f. Are there redundant standards, ... that should be consolidated?
There are always redundancies. QTF R1 is different from QTF R2, yet provides similar data, just at different granularity. Don’t try to consolidate standards. That just leads to:
f. Are there redundant standards, ... that should be consolidated?
There are always redundancies. QTF R1 is different from QTF R2, yet provides similar data, just at different granularity. Don’t try to consolidate standards. That just leads to:
So, what I'm actually doing right now is writing my responses to the #CMSRFI in a Word Document. I'll ship it out as BlueSky posts when I can. I do have some #HL7 #Connectathon stuff going on over the next two days, so probably towards the end of the week.
June 3, 2025 at 12:06 PM
So, what I'm actually doing right now is writing my responses to the #CMSRFI in a Word Document. I'll ship it out as BlueSky posts when I can. I do have some #HL7 #Connectathon stuff going on over the next two days, so probably towards the end of the week.
Commenting on the #CMSRFI is a little bit different than commenting on regulation. It's just a bunch of questions to respond to. I've gathered them up in a Google Doc you can download here: docs.google.com/document/d/1...
CMS RFI Questions
1. Patient Needs PC-1. What health management or care navigation apps would help you understand and manage your (or your loved ones) health needs, as well as the actions you should take? a. What are t...
docs.google.com
June 2, 2025 at 1:28 PM
Commenting on the #CMSRFI is a little bit different than commenting on regulation. It's just a bunch of questions to respond to. I've gathered them up in a Google Doc you can download here: docs.google.com/document/d/1...
Finally, #HIPAA 164.320 Severability adds a clause that basically says:
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
January 8, 2025 at 10:17 PM
Finally, #HIPAA 164.320 Severability adds a clause that basically says:
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
#HIPAA 164.318 Transition was previously about Compliance deadlines & remains so, but in proposed rule, the text gets more convoluted and has to do with existing renewals and deeming compliance based on existing contracts. Get your lawyers to explain it, I'm not gonna.
January 8, 2025 at 10:17 PM
#HIPAA 164.318 Transition was previously about Compliance deadlines & remains so, but in proposed rule, the text gets more convoluted and has to do with existing renewals and deeming compliance based on existing contracts. Get your lawyers to explain it, I'm not gonna.
#HIPAA 164.316 Documentation requirements is largely unchanged but somewhat restructured. The maintenance of documentation is strengthened from as needed to at least annually.
January 8, 2025 at 10:17 PM
#HIPAA 164.316 Documentation requirements is largely unchanged but somewhat restructured. The maintenance of documentation is strengthened from as needed to at least annually.
Which brings us to section 314 Organizational requirements. I would say this is largely unchanged except the new requirement that any time an organization activates its contingency plan it must notify the organization or group health plan it has a BAA with w/in 24 hours.
January 8, 2025 at 10:17 PM
Which brings us to section 314 Organizational requirements. I would say this is largely unchanged except the new requirement that any time an organization activates its contingency plan it must notify the organization or group health plan it has a BAA with w/in 24 hours.
Moving on to #HIPAA Section 310, Physical Safeguards
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
January 8, 2025 at 10:17 PM
Moving on to #HIPAA Section 310, Physical Safeguards
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
In #HIPAA, § 164.306 Security standards: General rules is revised a bit, but mostly unchanged EXCEPT
(b)(2)(v) is added to require consideration effectiveness of the measure AND
(c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
(b)(2)(v) is added to require consideration effectiveness of the measure AND
(c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
January 8, 2025 at 10:17 PM
In #HIPAA, § 164.306 Security standards: General rules is revised a bit, but mostly unchanged EXCEPT
(b)(2)(v) is added to require consideration effectiveness of the measure AND
(c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
(b)(2)(v) is added to require consideration effectiveness of the measure AND
(c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
Finally, 3 #HIPAA definitions changed:
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: includes "firmware" with more description of the intent or impact
Technical Safeguards: Clarified & included technical controls as a subtype
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: includes "firmware" with more description of the intent or impact
Technical Safeguards: Clarified & included technical controls as a subtype
January 8, 2025 at 10:17 PM
Finally, 3 #HIPAA definitions changed:
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: includes "firmware" with more description of the intent or impact
Technical Safeguards: Clarified & included technical controls as a subtype
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: includes "firmware" with more description of the intent or impact
Technical Safeguards: Clarified & included technical controls as a subtype
With respect to "Reasonably educated", that includes neither lawyers nor regulatory pedants. Both are over-educated and so might actually care about the improved text in #HIPAA
January 8, 2025 at 10:17 PM
With respect to "Reasonably educated", that includes neither lawyers nor regulatory pedants. Both are over-educated and so might actually care about the improved text in #HIPAA
Some #HIPAA definitions were clarified, but not really functionally changed from the perspective of a reasonably educated person.
* Administrative safeguards
* Information System
* Password
* Physical Safeguards
* Security or Security Measures
* Security Incident
* Workstation
* Administrative safeguards
* Information System
* Password
* Physical Safeguards
* Security or Security Measures
* Security Incident
* Workstation
January 8, 2025 at 10:17 PM
Some #HIPAA definitions were clarified, but not really functionally changed from the perspective of a reasonably educated person.
* Administrative safeguards
* Information System
* Password
* Physical Safeguards
* Security or Security Measures
* Security Incident
* Workstation
* Administrative safeguards
* Information System
* Password
* Physical Safeguards
* Security or Security Measures
* Security Incident
* Workstation