HIPAA, HITECH & HIT

Highmark Reports Breach of 3700 Customer Records

William Maruca — Fri, 05 Feb 2010 10:04:49 -0500

Chalk this one up to a flimsy envelope. Highmark Blue Cross Blue Shield has reported that approximately 3700 of its customers' personal data was lost as a result of a torn and damaged envelope sent to an employer containing names and social security numbers. The insurer is offering a year's free credit monitoring service to affected individuals. Highmark is also complying with the HITECH Act's breach notification rules, including notifying media, since the breach involved more than 500 people in one state. See Highmark tells customers personal information lost

Lesson: Use stronger envelopes when mailing sensitive data. Sometimes data protection is that simple.

Tennessee Blues' Data Theft May Impact 500,000 Members

William Maruca — Tue, 19 Jan 2010 17:08:39 -0500

With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.

HHS Releases Excellent Compendium of Privacy and Security Resources

Helen Oscislawski — Wed, 13 Jan 2010 09:12:19 -0500

The Secretary of Health and Human Services (HHS) released today a compendium of reports on state law, business practices, and policy variations to assist health information exchange efforts. I reviewed some of the documents linked through HHS's e-mail and find it extremely helpful that the government is aggregating resources on its website to be used by all in their HIE and RHIO efforts. The links and summaries of each such report provided through HHS' s e-mail are reprinted here below:

Report on State Medical Record Access Laws This report analyzes state laws that are intended to require health care providers (specifically, medical doctors and hospitals) to afford individuals access to their own health information and to identify potential barriers to the electronic exchange of health information. Specific state law provisions examined: scope of medical records to which patients are afforded access, format of information furnished, deadlines for responding to requests, fees for furnishing copies, record retention laws and access to records of minors.
Report on State Law Requirements for Patient Permission to Disclose Health Information
In Phase I of the HISPC project a majority of participants reported significant variation in the business practices and policies surrounding the need for and process of obtaining patient permission to use and disclose personal health information for a variety of purposes, including for treatment. This report furthers the initial work of this project by collating and analyzing state laws that govern the disclosure of identifiable health information for treatment purposes to identify commonalities and differences.
Releasing Clinical Laboratory Test Results: Report on Survey of State Laws For this report, state statutes and regulations were analyzed to determine to whom clinical laboratories may release test results. This report focused on clinical laboratory and hospital licensing laws (that contain standards for hospital laboratories). It also examined general state medical record access laws to determine whether they provided an avenue for patients to access their clinical laboratory results directly.
Report on State Prescribing Laws: Implications for e-Prescribing This report identifies and analyzes the impact and variation of state laws related to e-prescribing. The report addresses state laws related to the e-prescribing of controlled and non-controlled substances as well as topics such as record keeping and content requirements, out-of-state prescriptions, and generic substitution laws.
Perspectives on Patient Matching: Approaches, Findings, and Challenges This report analyzes various approaches to matching patients to their health information in the context of electronic health information exchange. Current and potential methods for matching patients to their health records are discussed, challenges to performing patient matching such as scalability and ease of use are analyzed, and the types of information some HIOs use to match patients to their health records is described.

Getting Meaningful with EHR

William Maruca — Mon, 04 Jan 2010 16:25:11 -0500

The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act” provides incentive payments for adoption and meaningful use of HIT and qualified EHRs. CMS published a proposed rule defining "meaningful use" on December 30. It's 566 double-spaced pages long, and can be found here: http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.

An eligible physician or other professional (“EP”) or hospital will be deemed to be a meaningful EHR user of technology certified by HHS if the user:

(1) demonstrates use of certified EHR technology in a meaningful manner;

(2) demonstrates to the satisfaction of the Secretary of HHS that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and

(3) using its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The measures include:

Implement drug-drug, drug-allergy, drug-formulary checks.
Input at least at least one diagnosis based on ICD-9-CM or SNOMED CTor an indication of none for 80% of all unique patients seen by the EP or admitted to an eligible hospital.
Maintain active medication lists for 80% of patients seen or admitted.
Record demographic info including preferred language; insurance type; gender; race; ethnicity and date of birth for 80% of patients seen or admitted
Record blood pressure and BMI and plot the growth chart for children age 2 to 20 years old for 805 of patients seen or admitted;
Record smoking status of 80% of patients age 13 or over;
Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
Implement five clinical decision support rules relevant to the relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
Check insurance eligibility electronically for 80% of patients
Submit 80% of claims electronically
Provide summary of care record for at least 80% of transitions of care and referrals
Use computerized provider order entry (CPOE) for 80% of orders.
Transmit at least 75 percent of all permissible prescriptions electronically.
Report clinical quality measures as required by HHS.
Send electronic reminders to at least 50 percent of all unique patients seen by the EP that are 50 years of age and over.
Provide requested electronic copies of patients’ health information within 48 hours of patient requests in 80% of cases.
Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the EP for at least 10 percent of all unique patients seen by the EP.
Provide clinical summaries to patients for each office visit for at least 80 percent of all office visits.

Incentive Payments for Hospital-Based Physicians under HITECH

Elizabeth Litten — Mon, 14 Dec 2009 16:41:44 -0500

The devil is in the definition, as least when it comes to getting financial incentive payments for the adoption of electronic health records (EHR). The American Hospital Association (AHA) recently asked the White House Office of Health Reform, the Department of Health and Human Services, and the Centers for Medicare & Medicaid Services to revise the definition of "hospital-based" so that physicians working in hospital outpatient clinics or hospital-based facilities can receive incentive payments from Medicare and Medicaid under the American Reinvestment and Recovery Act (ARRA).

In many ways, AHA's request makes sense. If ARRA is to incentivize "meaningful use" of EHR, it should not exclude physician users practicing in off-site clinic or outpatient locations -- these are often the very physicians whose implementation and use of EHR is key to the creation of a community-wide EHR infrastructure. In other ways, though, AHA's request is a vexing reminder of the mental contortions required to maintain the old meanings and purposes of terms while introducing new ones.

Whether an outpatient or "provider-based" clinic qualifies as part of the hospital for reimbursement purposes varies from state to state and from payer to payer. AHA's request to expand the definition for purposes of ARRA incentive payments seems to make sense from an EHR-policy implementation perspective, but folding in yet another "hospital-based" definition for ARRA purposes challenges the conceptual integrity of the word -- and starts to make my head spin.

The AHA letter is available at http://www.aha.org/aha/letter/2009/091204-let-hit-arra.pdf.

Answers to Burning EHR Questions

Helen Oscislawski — Fri, 04 Dec 2009 09:32:40 -0500

Do you have questions about selecting, implementing and using an Electronic Health Record (EHR), including:

What do you need to consider when selecting an EHR?
What is "meaningful use" and how can you qualify for ARRA incentive payments?
What are the steps and secrets to successful EHR implementation?
What in are some of the legal issues you need to consider before and after adopting an EHR?
What are the new privacy and security requirements that apply to EHRs?

Join us as Stevie Davidson, Dr. Jack Cappittelli and Helen Oscislawski discuss the answers to these questions and more, as well as offer practical advice based on their personal experience with EHRs.

When: Thursday, December 10, 2009

Time: 12:00-1:30 pm (lunch will be served)

Where: Fox Rothschild LLP
Princeton Pike Corporate Center
997 Lenox Drive, Building 3
Lawrenceville, NJ
Board Room

To register, visit our registration page.

16 Houston Hospital Employees Fired for Snooping

William Maruca — Wed, 02 Dec 2009 11:58:08 -0500

Harris County Hospital District, a Houston area health system, has fired 16 employees for HIPAA violations, according to the Houston Chronicle. The employees reportedly accessed the records of a first-year resident being trained at one of the District's hospitals, following the resident's admission for treatment of injuries she suffered in a shooting incdent in a supermarket parking lot.

HIPAA requires a covered entity to adopt and apply "appropriate sanctions" against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the HIPAA privacy rule. The department of Health and Human Services stated in the preamble to the rule that the type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination.

The Harris County Hospital District may have elected to terminate the employees to send a strong message that "snooping" in records, even where a co-worker is the patient, will not be tolerated for any reason.

Certifying EHRs for "Meaningful Use"

Helen Oscislawski — Fri, 06 Nov 2009 23:43:29 -0500

On November 2, 2009, the Texas-based Drummond Group Inc. announced in a Press Release that it will submit to become a certifying body upon the release of the Office of the National Coordinator for Health Information Technology (ONC) requirements for certifying bodies for Electronic Health Records (EHR). ONC is currently working on the scope and definition of "meaningful use" for EHR, expected to be finalized in early 2010. Along with these new policies on meaningful use of EHRs, ONC announced plans to expand the number of EHR certification agencies to support the new initiative.

Currently, the only approved EHR certification agency, since 2004, is the Certification Commission for Health Information Technology (CCHIT).

HITECH Workshop for Camden-area Hospitals

Helen Oscislawski — Fri, 06 Nov 2009 08:30:45 -0500

Friday, November 20, 2009

Virtua Center for Learning
Classroom A
1200 Howard Blvd.
Mt. Laurel, NJ

Covered entities will be required to make notifications of certain HITECH security breaches to the affected individuals, newspaper and media outlets in the state as well as the U.S. Secretary of Health & Human Services. Penalties will be assessed starting February 2010. Learn how to protect your hospital by putting a plan into action today! The workshop will cover:

Breach notification and requirements for business associates
Implementation plan for compliance
Case scenarios of how the requirements can impact hospital operations, including what steps can be taken to prevent or mitigate risk

You can prevent your hospital from falling behind the trend toward health information exchange. Learn what you need to do to be compliant with this new regulatory requirement. This session is specifically designed for CIOs and compliance, security and privacy officers as well as in-house legal counsel.

For more information on how to register, visit our registration page.

HHS Issues Interim Final Rule to Implement the HITECH Act's Strengthened Civil Money Penalty Scheme

Patricia McManus — Thu, 05 Nov 2009 16:19:29 -0500

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

Category 1 - Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
Category 2 - Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
Category 3 - Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
Category 4 - Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.

Does Oklahoma's New Abortion Law Violate HIPAA?

Patricia McManus — Mon, 02 Nov 2009 11:45:09 -0500

On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health's web site. Some of the required information includes:

Date of abortion
County in which abortion performed
Age of mother
Marital status of mother (married, divorced, separated, widowed, or never married)
Race of mother
Years of education of mother (specify highest year completed)
State or foreign country of residence of mother
Total number of previous pregnancies of the mother
Total number of live births, miscarriages, induced abortions
Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. The Davis lawsuit alleges the law violates Oklahoma's constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law's reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as the lawsuit continues.

* Correction: An earlier version of the blog post stated that the law went into effect on November 1, 2009.

Oh Where, Oh Where Will the Red Flag End Up (or Down)?

Helen Oscislawski — Sat, 31 Oct 2009 10:02:43 -0500

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010. Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009.

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule. On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate.

What does all the foregoing mean for the health care industry? For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

Elizabeth Litten — Fri, 23 Oct 2009 11:39:23 -0500

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous. But what about breaches the CE doesn't know about? What if the CE's business associate (BA) fails to report a breach of unsecured health information? What if the BA doesn't even know about the breach?

The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility: "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself."

The date a breach is discovered is extremely important (triggering the 60-day notice requirement). The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach. The clock starts running when the BA knew, or should have known, about the breach. According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so."

Governance Considerations from HIT for the Board and Other Hospital Stakeholders - The Need for an IT Champion to Serve as a Link between IT Personnel and Other Stakeholders - Installment 7

Michael Kline — Thu, 22 Oct 2009 16:45:52 -0500

This is the seventh installment in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

For a number of months this series has been emphasizing the importance of establishing a credible and knowledgeable liaison at the governing body and/or senior administrative level to articulate and educate the diverse stakeholders about the new challenges and initiatives in HIPAA and HIT. The liaison should be a champion and advocate for a rational and comprehensive approach for HIT.

The increasing complexities and costs of new IT systems and the need to demonstrate their “meaningful use” has greatly raised the stakes in this area for hospitals. Errors or false starts in HIT and the financial consequences of HIPAA violations under HITECH can be materially injurious to the organization’s finances, public image, internal stability and quality of patient care. It can also cause the loss of potential subsidies from HITECH.

Often the IT leader at a hospital does not have sufficient standing or skills set to serve as the champion. It was not the principal reason that he or she was hired. In such a case the governing boards should recruit either a knowledgeable board member or a senior staff person to serve this function.

The article on October 20, 2009 by Molly Merrill, Associate Editor of Healthcare IT News, adds further confirmation of the need for a qualified IT champion.

Ms. Merrill wrote that a new survey, conducted by Ponemon Institute and sponsored by San Jose, California-based LogLogic, shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information. Moreover, Ms. Merrill continues, “[a]ccording to the study, 61 percent of [IT] practitioners believe their organizations don't have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn't consider it a priority.”

Ms. Merrill quotes the survey as concluding the following:

Without resources and support from senior management, preventing the loss of data may be very difficult. We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP [data loss protection] solutions) and senior management buy-in for the necessary resources to get the job done right. [Emphasis supplied]

This survey underscores the frustrations and challenges that are present for the majority of IT leaders at hospitals. They may lack the standing within the organization to make a meaningful impact on senior management and the governing boards. Even if they hold a high level position within the organizations and are highly proficient in their jobs, they may lack be sufficient champions to interpret their complex world to their senior management and governing boards. It is incumbent on these organizations to identify a champion who possesses the skills to absorb and interpret the complex IT world for stakeholders who have limited knowledge of the subject.

[To be continued in Installment 8]

Let the Breach Notifications Begin! . . . (in 30 days, or so)

Helen Oscislawski — Wed, 19 Aug 2009 16:55:16 -0500

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI). Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records. Both HHS' and FTC's “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period. However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules. Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

Distressed Hospital Survival Through HIT?

Michael Kline — Mon, 10 Aug 2009 14:47:03 -0500

[Installment 6 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

On August 4, 2009 the Associated Press reported at http://www.usatoday.com/news/health/2009-08-04-electronic-medical-records_N.htm that Sac-Osage Hospital, a 47-bed hospital in rural western Missouri, “is borrowing nearly $1 million to pitch its paper medical charts and purchase a state-of-the-art electronic health records [EHR] system. The hospital is hinging its survival on what it hopes will be a $3 million windfall of federal incentives for hospitals that go digital.”

This survival strategy for Sac-Osage Hospital is hazardous because there is an inherent risk in the hoped-for windfall in 2011 under the economic stimulus law. As the AP report goes on to states: “The risk lies in the federal government's ultimate definition of what constitutes a ‘meaningful use’ of electronic records.”

As I reported in my fifth blog post on July 28, 2009, health providers will have to meet minimum prescribed standards (the meaningful use) for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs.

The bet that Sac-Osage Hospital says it is making by borrowing to invest in EHRs is the highest - the very survival of the hospital. Its Board and Administration have clearly made the determination that other possible alternatives for capital financing and investment by the hospital will not have the monetary potential return of the HITECH windfall. It is somewhat sobering that Sac-Osage Hospital bases its financial survival plan not on more effective delivery of healthcare or new treatment modalities but on digitalization of its health records. However, a positive by-product of EHRs and the demonstration of “meaningful use” that will be needed to realize the fruits from HITECH of an investment in EHRs presumably will be fewer medical errors, a more efficient healthcare delivery system and a higher quality of care.

Unfortunately for Sac-Osage Hospital and other health providers seeking to benefit from the HITECH windfall, the landscape for qualification could change markedly over the next two years. As technology evolves, the expectations as to what constitutes meaningfully use may rise. Sac-Osage Hospital and other small rural hospitals will also be competing for a share of HITECH money with larger and more well-financed institutions that are much further advanced with EHRs.

Other challenges can come not just from the crystallization of “meaningful use” but also the enactment of the health reform package that is looming ahead. The package itself may directly or indirectly affect how EHRs are to be generated and used, thereby impacting programs for implementing HIT.

Hopefully, the substantial majority of hospitals are not in a mode that their survival depends on the stimulus money from implementing EHRs. However, the Boards of health care providers cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. These matters must be appropriately analyzed and monitored continuously at a high level in the hospital, with committed Board oversight.

[To be continued in Installment 7]

"In The Event That I Can No Longer Make Decisions For Myself, I Wish ..." - Storing Advanced Directives on GoogleHealth

Helen Oscislawski — Wed, 05 Aug 2009 10:33:10 -0500

Google Health and National Hospice and Palliative Care Organization's Caring Connections have partnered to allow patients to store and access their advance directives on line. Advance directives are essentially "directions" that a person gives to their medical professionals about what interventions they wish to have provided or withheld under specific circumstances -- especially in emergencies and at "end-of-life" moments -- when such person can not express those wishes himself or herself. Advance directives laws vary from state-to-state, but typically require such directives to be in writing, signed and to have a personal representative listed.

GoogleHealth and Caring Connections will offer a "living will" feature that allows users to download a free state-specific advance directive and store completed and signed scanned documents securely on line in their GoogleHealth account. By "storing" such advanced directives in GoogleHealth's centralized repository, the hope is to offer providers with a better method to insure that a patient's true wishes with regard to health care interventions are honored. But, will it?

What had me wondering is how exactly will the provider access the advanced directive on Google Health without the individual (who presumably has lost his or her ability to communicate) providing his or her password? I suppose that in instances where a personal representative has been appointed, the individual could make sure to provide such password to his/her personal representative -- but watch out, because if the personal representative changes, then the password may need to change too. Another option may be for individuals to pre-authorize their entrusted health care provider with access to their personal Google Health account. Yet, this also has problems where one does not necessarily know which emergency room provider might end up providing them with care.

Nevertheless, even with its limitations, Google Health's new advanced directive feature will likely be beneficial in many circumstances. To learn more about GoogleHealth and Caring Connection's new advance directive feature, click here.

HITECH Help Is On the Way! August 19, 2009

Helen Oscislawski — Fri, 31 Jul 2009 17:19:01 -0500

Do you need help understanding what to do in light of HITECH's privacy and security changes to HIPAA? Are you concerned about HITECH's increased penalties for HIPAA violations? Are you struggling to understand what needs to be done under the New Jersey Security Breach Notification Act, and how these state requirements reconcile with the HITECH breach notification requirements?

Join me on Wednesday, August 19, 2009 at 12:00 p.m. for a Webinar offered through the Medical Society of New Jersey called the "Privacy and Security Law Update" where I will cover the HITECH Act and how it changes HIPAA, required and recomended amendments to Business Associate Agreements, security breach notification obligations under HITECH and the New Jersey Identity Theft Prevention Act, the Red Flags Rule, and more.

To register, visit MSNJ’s web site and click on the Events Registration link. Please note that non-MSNJ members who wish to register for the webinar must first create an "new user" account with MSNJ and establish a password to be able to register for the webinar. To create a new user account, visit MSNJ's Events Detail page by clicking here.

Should Health Care Providers Bother with Red Flags?

Helen Oscislawski — Thu, 30 Jul 2009 16:29:37 -0500

Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009. The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement. If the ABA were to go down that route, others could follow suit (excuse the pun).

So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . . but should they?

In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers' compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care. In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this.

The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider -- and, thus, should be manageable, both from an administrative and financial standpoint. On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized. The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem.

To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

HIPAA Paranoia Strikes Deep Among Healthcare Providers

William Maruca — Wed, 29 Jul 2009 08:57:29 -0500

Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:

Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients' privacy rights and complying with the law, deny consumers access to their medical records.

Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.

For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.