Legal Health Information Exchange

ACO Rule Keeps HIE Consent "On the Fence"

helen@oscislaw.com (Helen Oscislawski) — Wed, 08 Feb 2012 12:26:48 -0500

When DHHS published its Proposed ACO Rule in April 2011 and then the Final ACO Rule in November 2011 (I’ll refer to them as the “ACO Rules”), discussions focused predominately on issues such as who is “qualified” to participate, what the required governance structure should be, what methodology will be used to assign Medicare beneficiaries, and what the payment models will be. However, as I digested the ACO Rules, my reading deliberately slowed down as I zeroed in on the not unremarkable language and comments CMS included with regard to sharing individually identifiable health information in the ACO context.

Among other things, the ACO Rules would authorize key data sharing between CMS and an ACO. In particular, four categories of data could potentially be shared:

Aggregated Data
Personal Identifiers
Personally Identifiable Claims Data
Prescription Claims Data

In the Preamble to the Proposed Rule, CMS emphasized the importance of sharing these forms of data in order provide more complete information for the services provided or coordinated for the ACO beneficiary populations, better achieve improvements in the quality of care and gain a better understanding of the population served while lowering the growth in health care costs. Notably, while the ACO Rules would permit Medicare beneficiaries to “opt-out” of certain data sharing, other data would be shared without the patient’s consent. Moreover, it is clear that CMS deliberately chose to proceed with an opt-out approach, given its concerns regarding beneficiary participation and ACO Participant administrative burdens. In the Preamble to the ACO Rules, it noted that:

An opt-out approach is used successfully in most systems of electronic exchange of information because it is significantly less burdensome on consumers and providers while still providing an opportunity for caregivers to engage with patients to promote trust and permitting patients to exercise control over their data.” See 76 Fed Reg. 19560 (2011).

Although some of the information that CMS proposes for “sharing” will be de-identified, other information will be identifiable. For example, limited beneficiary data (i.e., name, DOB, gender, insurance claim number) would be made available at the beginning of the first performance year and in connection with quarterly aggregated data reports. Other data proposed to be shared could potentially include: (Medicare Part A & B) procedure codes; diagnosis codes; beneficiary IDs; DOB; geneder; date of dealth; claim ID; dates of service; provider/supplier ID; claim payment type; (Medicare Part D) beneficiary ID; prescriber ID; drug service date; drug product ID; if the drug is on the formulary.

CMS acknowledges in the ACO Rules that there could be privacy concerns with sharing identifiable information, but nevertheless takes the position that the HIPAA Privacy Rule permits disclosure for purposes of sharing Medicare Part A and Part B claims data with ACOs participating in the Shared Savings Program. The agency also specifically notes that the disclosures of claims data would be permitted as “health care operations”. Under HIPAA, a covered entity may disclose PHI to another covered entity for the recipient’s health care operations if they both have or had a relationship with the individual, the records pertain to that relationship, and the records will be used for a health care operation function meeting one of the first two paragraphs in the definition of health care operation under HIPAA.

Yet, although CMS explicitly states that it has the authority to share Medicare Claims Data without patient consent, the agency also notes that it “nonetheless believe(s) that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program.” See 76 FR 19559; See also 76 FR 67849. Therefore, while patients would not be able to opt-out of having de-identified aggregated data reports or limited identifiers shared with the ACOs, CMS will allow patients to opt-out of having claims data shared with the ACOs.

Over the past year, privacy, patient consent and HIE opt-in/opt-out continues to be debated (sometimes painfully). The debate continues essentially because certain stakeholders hold different and strong views on if, when and at what point affirmative patient consent is required (under current law) or should be required (through promulgation of new rules). As a result, some HIE collaboratives have required affirmative patient consent before any data is shared. Similarly, Recommendations from the ONC Tiger Team include, in part, that consent should be obtained before any information is shared with third parties, including Business Associates and HIOs(except where sharing is directed exchange (provider-to-provider), or between providers participating in an OHCA (as as side note, query if ACOs might qualify as OHCAs? probably...at least in some cases)). Others have determined that the value of networked electronic HIE – i.e., healthcare quality improvement and cost reduction – is most efficiently realized when certain data is readily shared without prior authorization or consent, in accordance with HIPAA's exceptions, as a presumed default. Now with CMS throwing its views on consent & opt-in/opt-out into the ring, at least with respect to ACO's data-sharing with Medicare, I'm sure many are anxious to see if the forthcoming HITECH Final Rule and NHIN Governance Rule will offer clear standards for the current HIE consent conundrum, or continue to precariously balance this issue on the fence....... I know I personally can't wait to see.

For more a more detailed analysis of privacy and the ACO Rules, download the February 2012 edition of our Health Law Diagnosis Newsletter.

State AG Brings First HIPAA Lawsuit Against Business Associate

knowik@oscislaw.com (Krystyna Monticello) — Wed, 08 Feb 2012 08:25:56 -0500

Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI. A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains.

Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations. In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH. In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner. A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients. Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

failure to implement policies and procedures to prevent, detect, contain and correct security violations;
failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
failure to implement policies and procedures to limit physical access;
faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
failure to implement policies and procedures as otherwise required by HIPAA.

Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship. In the press release, Attorney General Swanson stated,

“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients. Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.

Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row. While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources. A copy of the complaint against Accretive may also be found here.

CMS Provides Guidance on Meaningful Use Appeals Process

knowik@oscislaw.com (Krystyna Monticello) — Thu, 26 Jan 2012 15:01:52 -0500

CMS has released additional guidance for hospitals and eligible professionals on the Medicare EHR Incentive Program appeals process. The CMS Office of Clinical Standards and Quality (OCSQ), together with Provider Resources, Inc., the CMS appeals support contractor, will accept and review appeals filed by eligible professionals and hospitals. For those individuals and organizations participating in the Medicaid EHR Incentive Program, each state will have its own process for Medicaid appeals.

CMS began accepting appeals December 1, 2011. Appeals may be filed by eligible professionals and hospitals through an online web portal. In addition to eligibility determinations, eligible professionals and hospitals may appeal denials of status as a meaningful user as well as incentive payment calculations.

For hospitals, the deadline to appeal eligibility determinations has been extended to January 30, 2012. In general, a hospital or eligible professional has sixty (60) days after the issuance of an incentive payment to appeal the amount of the payment made. Additionally, hospitals and eligible professionals have thirty (30) days to appeal denials of their status as a meaningful user after receipt of a letter with the results of a meaningful use audit conducted by CMS. Limited extensions will be granted on a case-by-case basis under extenuating circumstances.

The first OCSQ informal review determination was released on January 19, 2012. CMS plans on making this and other OCSQ appeals opinions available in February on its EHR Incentive Program Appeals website. These opinions may provide additional guidance to eligible professionals and hosptials seeking to attest in 2012 for their first payment year.

Over $2 billion paid in Meaningful Use Incentive Payments and Counting

knowik@oscislaw.com (Krystyna Monticello) — Fri, 20 Jan 2012 09:08:28 -0500

In a report submitted to the Health Information Technology Policy Committee on January 10th, CMS highlighted progress in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use") and registration and attestation numbers for eligible hospitals and eligible professionals ("EPs"). For 2011, the two programs paid out over $2.5 billion in Meaningful Use incentive payments to EPs and hospitals who attested to Meaningful Use for 2011.

In 2011, 124,089 EPs registered for Medicare, 39, 503 EPs registered for Medicaid, and 2,834 hospitals registered for both programs. Out of the 842 hospitals that attested to Meaningful Use for FY 2011, 100% were succesful, with 99% of EPs that attested for 2011 also succesful.

CMS has made available additional information on a state-by-state basis which can be viewed on its EHR Data and Reports page. You'll notice also that CMS has "modernized" the look and feel of its webpages, not only for Meaningful Use, but in general for Medicare, Medicaid and other web resources.

Hospitals in their second payment year will generally need to meet Stage 1 Meaningful Use requirements for the full 12-month period in FY 2012. Due to concerns about the ability of EHR vendors to certify their products in compliance with Stage 2 requirements, once finalized, HHS has proposed to delay Stage 2 Meaningful Use, which was originally set to begin in 2013 for those who attested in 2011.

Input from the vendor community and the provider community makes clear that the current schedule for compliance with Stage 2 meaningful use objectives in 2013 poses a challenge for those who are attesting to meaningful use in 2011. The current timetable would require EHR vendors to design, develop, and release new functionality, and for providers to upgrade, implement, and begin using the new functionality as early as October 2012.

HHS has indicated that those hospitals and EPs that attested in 2011 would be able to attest to Stage 1 requirements for an additional year, giving them the benefit of attesting to the more lenient Stage 1 requirements again in their third payment year (FY 2013 for hospitals).

The delay is not expected to affect hospitals and EPs who attest to Meaningful Use for their first payment year in 2012. It would also not affect any hospitals or EPs who attested under Medicaid for "Adoption, Implementation and Upgrade" incentive payments for their first payment year in 2011.

CMS is expected to formalize this delay in the proposed rule for Stage 2 which is expected to be released this month or in February. For more information about the Medicare/Medicaid EHR Incentive Programs, visit the CMS EHR Meaningful Use webpage.

Helen Oscislawski Invited to Speak at National HIPAA Summit

helen@oscislaw.com (Helen Oscislawski) — Fri, 06 Jan 2012 06:36:17 -0500

I attend the annual National HIPAA Summit in Washington D.C. every year to keep on top of developments with HIPAA and related topics, and so I was thrilled to find out that one of the Co-Chairs of the ONC Privacy and Security Tiger Team recommended that I be asked to speak on HIPAA and its implications on Health Information Exchange (HIE) at this year's event. The 20th National HIPAA Summit will run from March 26-28th and take place at the Renaissance Hotel in Washington, D.C. You can review the full intenerary here.

I am scheduled to speak on HIPAA and HIE during the afteronnon session of March 27 (Day 2), and will be joining Dr. William R. Braithwaite, MD, PhD (aka "Dr. HIPAA"), Joy Pritts, Esq., the Chief Privacy Officer for the ONC, and Deven McGraw, Esq., Co-Chair of the ONC Privacy and Security Tiger Team, who will be speaking on related topics during this afternoon segment.

The annual HIPAA Summit will provide the most up-to-date information on the status and schedule for publication of the new regulations. Comprehensive presentations by leading regulators from the Centers for Medicare & Medicaid Services, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology, provide unique insights. Private sector leaders will add practical advice from their many experiences in implementation. The HIPAA Summit will address privacy and security and data breach changes and challenges and the legal and policy issues implicated, as well as electronic health record adoption issues. It will also cover developments and requirements for transactions and code sets and operating rules about how they are being implemented. It will also include training sessions for HIPAA privacy and security professionals who intend to apply for certification.

see www.hipaasummit.com/overview.html

This is an event not to be missed by anyone who needs to keep on top of the most recent trends and developments in health care information privacy, and security.

To register for the HIPAA Summit, visit www.hipaasummit.com/registration.php

For other events which Attorneys at Oscislawski are participating in, visit our new Upcoming Events page.

Yet Another Class-Action Filed After Breaches of Patient Data

knowik@oscislaw.com (Krystyna Monticello) — Fri, 30 Dec 2011 14:26:22 -0500

In what appears to be the trend in California for 2011, another class-action lawsuit has been filed, this time by patients of the University of California-Los Angeles (UCLA) Health System affected by a data breach in early September of this year. An external hard drive was stolen from the home of a former UCLA physician that contained the EHR data of over 16,000 patients from July 2007 to July 2011. No social security numbers, insurance information or credit/account information was included. Although the hard drive was encrypted, a piece of paper with the password was also missing.

Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.

Several other health care entities in California have also recently had class-action lawsuits filed against them recently. Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor. Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients. The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.

Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients. The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected.

Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules. The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information.

The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records. it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.

OIG Releases New Fraud and Abuse Advisory Opinion Involving EHR Data Exchange

knowik@oscislaw.com (Krystyna Monticello) — Fri, 16 Dec 2011 12:43:33 -0500

On December 7, 2011, the Office of the Inspector General (OIG) released an Advisory Opinion regarding a proposed coordination service to facilitate the electronic exchange of data for patient referral purposes. A health IT company requested the opinion to determine whether its proposed services would be subject to OIG sanctions or civil monetary penalties (CMP) under the Anti-kickback Statute (AKS). The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit or receive any remuneration to induce or reward referrals of items or services which are reimburseable by a Federal health care program.

Three types of services were offered by the health IT company: billing services, electronic health record (EHR) management services, and automated messaging services for communicating with patients. These services could be purchased as a package deal or on a monthly basis for a subscription fee. The Proposed Arrangement, however, would provide a new service that would provide coordination services for referrals and managing patients receiving services from other health care professionals (the "Coordination Service").

Through the Coordination Service, a trading partner could send referrals as well as all necessary medical records in addition to insurance and billing information. The patient information would be accessed and exchanged through an electronic database network. Although purchase of the EHR services offered by the health IT company was required in purchasing the Coordination Services because of the need for all patient medical, demographic and other information contained within to be available for referral purposes, the Proposed Arrangement would offer a discount on a monthly EHR subscription fee of approximately 25-35%. Other transmission, functionality and service fees would be assessed, depending upon the complexity of the services performed and per referral.

Although the Proposed Arrangement did not fit into an AKS Safe Harbor, the OIG determined it would not impose administrative sanctions upon the health IT company if it proceeded with offering the Coordination Services. Although health care professionals were paying fees in connection with the receipt and transmission of referrals, these did not result in enhanced access to a referral stream. Health care professionals also were not required to enter into an agreement with the health IT company or purchase the Coordination Service in order to receive a referral through the network.

In addition, the fees reflected the fair market value of the services provided and were based upon the level of services that were provided, as well as assessed regardless of whether a patient followed through on a referral and actually received the referred services, therefore distinguished from traditional per-click success fees. The Opinion stated that the independent value provided by the services which were actually paid for was unrelated to inducing referrals, and fees charged,

would not vary based on the value of the items or services that a receiving health professional might ultimately provide to Federal health care program beneficiaries.

OIG Advisory Opinions may only be legally relied upon by the party requesting the opinion but can prove useful guidance to other entities in structuring arrangements to comply with the Anti-kickback Statute. You can read the full Advisory Opinion here. CMS also issues Advisory Opinions pursuant to its authority under the Stark physician self-referral laws.

OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

knowik@oscislaw.com (Krystyna Monticello) — Fri, 16 Dec 2011 11:22:38 -0500

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ). However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus. The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors). Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released. The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit. In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data. A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security. I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules. And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon".

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

knowik@oscislaw.com (Krystyna Monticello) — Fri, 09 Dec 2011 09:21:33 -0500

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB). Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy.

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects. The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education. The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations. In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements.

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community. Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed. The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices. Regulations for the demonstration projects are expected to be finalized shortly.

Federal Government Releases Updated DURSA for NHIN Participants

helen@oscislaw.com (Helen Oscislawski) — Wed, 07 Dec 2011 07:17:14 -0500

An Amended and Restated DURSA dated May 3, 2011 was released November 30, 2011. The DURSA is an acronym for the "Data Use and Reciprocal Support Agreement." It is a comprehensive agreement to govern the exchange of health data through the Nationwide Health Information Network Exchange (NHIN). It is a multi-party single agreement that establishes the rules of engagement and obligations to which all Participants agree and that all Participants sign as a condition of joining the NHIN community. A clean copy of the updated DURSA can be downloaded from the NHIN's Participant "Onboarding" Website, or by clicking here. The Office of National Coordinator (ONC) has also posted a Redline version comparing the most recent May 2011 version of the DURSA against its predecessor (scroll all the way down to the "DURSA" subcategory).

According to a PowerPoint posted by the ONC that summarizes all the changes to the November 2009 version of the DURSA, here are some of the more significant ones that NHIN Participants can expect:

The term “Nationwide Health Information Network” is defined more broadly, and ONC is phasing out its use altogether.
The composition of the Coordinating Committee is being downsized/reduced significantly. ONC indicated that the current composition is not scalable given the rapid growth in the number and type of Participants.
The definition of "Permitted Purposes" has been revised to support varied types of transactions and not preclude legitimate reasons to transact Message Content including treatment, payment, limited healthcare operations with respect to the patient that is the subject of the data being exchanged, public health activities, meaningful use and disclosures based on an authorization from the individual.
Each Participant is required to (i) validate information about its Users prior to issuing the User credentials; (ii) use the credentials to verify the identity of its Users before enabling the User to transact Message Content; and (iii) provide truthful assertions. The November 2009 version did not specifically require Participants to “identity proof” their Users or explicitly require a Participant to submit truthful information in the assertions and statements that accompany a Message. At the time, the DURSA developers assumed that these issues would be addressed in the Specifications, but they were not.
Combines duties of a responder and requestor into duties of a Submitter, and adds that Messages must comply with Applicable Law, the DURSA, Operating P&P, applicable Performance and Service Specifications. Submitter must represent that all assertions or statements related to the submitted Message are true and accurate. Also, it is the responsibility of the Submitter – the one disclosing the data – to make sure that it has met all legal requirements before disclosing the data, including, but not limited to, obtaining any consent or authorization that is required by law applicable to the responding Participant.
Removed 24 notice requirement to Coordinating Committee before suspending a Participant. Recognized that process is onerous. Participant can now be voluntarily suspend from 5-10 days.

The government noted that the process has proven itself inefficient and has impeded the ability to amend [Operating Policies and Procedures, and technical specifications]......

The November 2009 version required 2/3 of non-governmental and 2/3 of governmental Participants to approve all changes to the Operating policies and procedures. The government acknowledged that this process has proven itself inefficient and has impeded the Coordinating Committee’s ability to revise the Operating Policies and Procedures. In the May 2011 version, the process for revising and adopting new Operating Policies & Procedures has been revised. Prior to approving new Operating P&Ps, Coordinating Committee will solicit comments from the Participants. There will be a 30 day objection period once the Coordinating Committee approves new or amended Operating P&P. New or amended Operating P&Ps go into effect unless 1/3 of the Participants object. If 1/3 object, then 2/3 of non-governmental and 2/3 of governmental Participants must approve before the new or amended OP&Ps become effective.
In the Nov 2009 version, approval of new or amended Performance and Service Specifications required the Coordinating Committee to make a determination of “materiality,” which then dictates the Technical Committee’s process of approving the Spec change. The government noted that the process has proven itself inefficient and has impeded the ability to amend the Performance and Service Specifications and adopt new Performance and Service Specifications. With the new May 2011 version of the DURSA, new and amended Performance and Service Specifications will be approved in the same way that new and amended Operating P&Ps are approved.