HIPAA, HITECH & HIT

Certifying EHRs for "Meaningful Use"

hoscislawski@foxrothschild.com (Helen Oscislawski) — Fri, 06 Nov 2009 23:43:29 -0500

On November 2, 2009, the Texas-based Drummond Group Inc. announced in a Press Release that it will submit to become a certifying body upon the release of the Office of the National Coordinator for Health Information Technology (ONC) requirements for certifying bodies for Electronic Health Records (EHR). ONC is currently working on the scope and definition of "meaningful use" for EHR, expected to be finalized in early 2010. Along with these new policies on meaningful use of EHRs, ONC announced plans to expand the number of EHR certification agencies to support the new initiative.

Currently, the only approved EHR certification agency, since 2004, is the Certification Commission for Health Information Technology (CCHIT).

HITECH Workshop for Camden-area Hospitals

hoscislawski@foxrothschild.com (Helen Oscislawski) — Fri, 06 Nov 2009 08:30:45 -0500

Friday, November 20, 2009

Virtua Center for Learning
Classroom A
1200 Howard Blvd.
Mt. Laurel, NJ

Covered entities will be required to make notifications of certain HITECH security breaches to the affected individuals, newspaper and media outlets in the state as well as the U.S. Secretary of Health & Human Services. Penalties will be assessed starting February 2010. Learn how to protect your hospital by putting a plan into action today! The workshop will cover:

Breach notification and requirements for business associates
Implementation plan for compliance
Case scenarios of how the requirements can impact hospital operations, including what steps can be taken to prevent or mitigate risk

You can prevent your hospital from falling behind the trend toward health information exchange. Learn what you need to do to be compliant with this new regulatory requirement. This session is specifically designed for CIOs and compliance, security and privacy officers as well as in-house legal counsel.

For more information on how to register, visit our registration page.

HHS Issues Interim Final Rule to Implement the HITECH Act's Strengthened Civil Money Penalty Scheme

pmcmanus@foxrothschild.com (Patricia McManus) — Thu, 05 Nov 2009 16:19:29 -0500

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

Category 1 - Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
Category 2 - Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
Category 3 - Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
Category 4 - Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.

Does Oklahoma's New Abortion Law Violate HIPAA?

pmcmanus@foxrothschild.com (Patricia McManus) — Mon, 02 Nov 2009 11:45:09 -0500

On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health's web site. Some of the required information includes:

Date of abortion
County in which abortion performed
Age of mother
Marital status of mother (married, divorced, separated, widowed, or never married)
Race of mother
Years of education of mother (specify highest year completed)
State or foreign country of residence of mother
Total number of previous pregnancies of the mother
Total number of live births, miscarriages, induced abortions
Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. The Davis lawsuit alleges the law violates Oklahoma's constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law's reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as the lawsuit continues.

* Correction: An earlier version of the blog post stated that the law went into effect on November 1, 2009.

Oh Where, Oh Where Will the Red Flag End Up (or Down)?

hoscislawski@foxrothschild.com (Helen Oscislawski) — Sat, 31 Oct 2009 10:02:43 -0500

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010. Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009.

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule. On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate.

What does all the foregoing mean for the health care industry? For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

elitten@foxrothschild.com (Elizabeth Litten) — Fri, 23 Oct 2009 11:39:23 -0500

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous. But what about breaches the CE doesn't know about? What if the CE's business associate (BA) fails to report a breach of unsecured health information? What if the BA doesn't even know about the breach?

The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility: "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself."

The date a breach is discovered is extremely important (triggering the 60-day notice requirement). The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach. The clock starts running when the BA knew, or should have known, about the breach. According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so."

Governance Considerations from HIT for the Board and Other Hospital Stakeholders - The Need for an IT Champion to Serve as a Link between IT Personnel and Other Stakeholders - Installment 7

mkline@foxrothschild.com (Michael Kline) — Thu, 22 Oct 2009 16:45:52 -0500

This is the seventh installment in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

For a number of months this series has been emphasizing the importance of establishing a credible and knowledgeable liaison at the governing body and/or senior administrative level to articulate and educate the diverse stakeholders about the new challenges and initiatives in HIPAA and HIT. The liaison should be a champion and advocate for a rational and comprehensive approach for HIT.

The increasing complexities and costs of new IT systems and the need to demonstrate their “meaningful use” has greatly raised the stakes in this area for hospitals. Errors or false starts in HIT and the financial consequences of HIPAA violations under HITECH can be materially injurious to the organization’s finances, public image, internal stability and quality of patient care. It can also cause the loss of potential subsidies from HITECH.

Often the IT leader at a hospital does not have sufficient standing or skills set to serve as the champion. It was not the principal reason that he or she was hired. In such a case the governing boards should recruit either a knowledgeable board member or a senior staff person to serve this function.

The article on October 20, 2009 by Molly Merrill, Associate Editor of Healthcare IT News, adds further confirmation of the need for a qualified IT champion.

Ms. Merrill wrote that a new survey, conducted by Ponemon Institute and sponsored by San Jose, California-based LogLogic, shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information. Moreover, Ms. Merrill continues, “[a]ccording to the study, 61 percent of [IT] practitioners believe their organizations don't have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn't consider it a priority.”

Ms. Merrill quotes the survey as concluding the following:

Without resources and support from senior management, preventing the loss of data may be very difficult. We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP [data loss protection] solutions) and senior management buy-in for the necessary resources to get the job done right. [Emphasis supplied]

This survey underscores the frustrations and challenges that are present for the majority of IT leaders at hospitals. They may lack the standing within the organization to make a meaningful impact on senior management and the governing boards. Even if they hold a high level position within the organizations and are highly proficient in their jobs, they may lack be sufficient champions to interpret their complex world to their senior management and governing boards. It is incumbent on these organizations to identify a champion who possesses the skills to absorb and interpret the complex IT world for stakeholders who have limited knowledge of the subject.

[To be continued in Installment 8]

Let the Breach Notifications Begin! . . . (in 30 days, or so)

hoscislawski@foxrothschild.com (Helen Oscislawski) — Wed, 19 Aug 2009 16:55:16 -0500

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI). Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records. Both HHS' and FTC's “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period. However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules. Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

Distressed Hospital Survival Through HIT?

mkline@foxrothschild.com (Michael Kline) — Mon, 10 Aug 2009 14:47:03 -0500

[Installment 6 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

On August 4, 2009 the Associated Press reported at http://www.usatoday.com/news/health/2009-08-04-electronic-medical-records_N.htm that Sac-Osage Hospital, a 47-bed hospital in rural western Missouri, “is borrowing nearly $1 million to pitch its paper medical charts and purchase a state-of-the-art electronic health records [EHR] system. The hospital is hinging its survival on what it hopes will be a $3 million windfall of federal incentives for hospitals that go digital.”

This survival strategy for Sac-Osage Hospital is hazardous because there is an inherent risk in the hoped-for windfall in 2011 under the economic stimulus law. As the AP report goes on to states: “The risk lies in the federal government's ultimate definition of what constitutes a ‘meaningful use’ of electronic records.”

As I reported in my fifth blog post on July 28, 2009, health providers will have to meet minimum prescribed standards (the meaningful use) for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs.

The bet that Sac-Osage Hospital says it is making by borrowing to invest in EHRs is the highest - the very survival of the hospital. Its Board and Administration have clearly made the determination that other possible alternatives for capital financing and investment by the hospital will not have the monetary potential return of the HITECH windfall. It is somewhat sobering that Sac-Osage Hospital bases its financial survival plan not on more effective delivery of healthcare or new treatment modalities but on digitalization of its health records. However, a positive by-product of EHRs and the demonstration of “meaningful use” that will be needed to realize the fruits from HITECH of an investment in EHRs presumably will be fewer medical errors, a more efficient healthcare delivery system and a higher quality of care.

Unfortunately for Sac-Osage Hospital and other health providers seeking to benefit from the HITECH windfall, the landscape for qualification could change markedly over the next two years. As technology evolves, the expectations as to what constitutes meaningfully use may rise. Sac-Osage Hospital and other small rural hospitals will also be competing for a share of HITECH money with larger and more well-financed institutions that are much further advanced with EHRs.

Other challenges can come not just from the crystallization of “meaningful use” but also the enactment of the health reform package that is looming ahead. The package itself may directly or indirectly affect how EHRs are to be generated and used, thereby impacting programs for implementing HIT.

Hopefully, the substantial majority of hospitals are not in a mode that their survival depends on the stimulus money from implementing EHRs. However, the Boards of health care providers cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. These matters must be appropriately analyzed and monitored continuously at a high level in the hospital, with committed Board oversight.

[To be continued in Installment 7]

"In The Event That I Can No Longer Make Decisions For Myself, I Wish ..." - Storing Advanced Directives on GoogleHealth

hoscislawski@foxrothschild.com (Helen Oscislawski) — Wed, 05 Aug 2009 10:33:10 -0500

Google Health and National Hospice and Palliative Care Organization's Caring Connections have partnered to allow patients to store and access their advance directives on line. Advance directives are essentially "directions" that a person gives to their medical professionals about what interventions they wish to have provided or withheld under specific circumstances -- especially in emergencies and at "end-of-life" moments -- when such person can not express those wishes himself or herself. Advance directives laws vary from state-to-state, but typically require such directives to be in writing, signed and to have a personal representative listed.

GoogleHealth and Caring Connections will offer a "living will" feature that allows users to download a free state-specific advance directive and store completed and signed scanned documents securely on line in their GoogleHealth account. By "storing" such advanced directives in GoogleHealth's centralized repository, the hope is to offer providers with a better method to insure that a patient's true wishes with regard to health care interventions are honored. But, will it?

What had me wondering is how exactly will the provider access the advanced directive on Google Health without the individual (who presumably has lost his or her ability to communicate) providing his or her password? I suppose that in instances where a personal representative has been appointed, the individual could make sure to provide such password to his/her personal representative -- but watch out, because if the personal representative changes, then the password may need to change too. Another option may be for individuals to pre-authorize their entrusted health care provider with access to their personal Google Health account. Yet, this also has problems where one does not necessarily know which emergency room provider might end up providing them with care.

Nevertheless, even with its limitations, Google Health's new advanced directive feature will likely be beneficial in many circumstances. To learn more about GoogleHealth and Caring Connection's new advance directive feature, click here.

HITECH Help Is On the Way! August 19, 2009

hoscislawski@foxrothschild.com (Helen Oscislawski) — Fri, 31 Jul 2009 17:19:01 -0500

Do you need help understanding what to do in light of HITECH's privacy and security changes to HIPAA? Are you concerned about HITECH's increased penalties for HIPAA violations? Are you struggling to understand what needs to be done under the New Jersey Security Breach Notification Act, and how these state requirements reconcile with the HITECH breach notification requirements?

Join me on Wednesday, August 19, 2009 at 12:00 p.m. for a Webinar offered through the Medical Society of New Jersey called the "Privacy and Security Law Update" where I will cover the HITECH Act and how it changes HIPAA, required and recomended amendments to Business Associate Agreements, security breach notification obligations under HITECH and the New Jersey Identity Theft Prevention Act, the Red Flags Rule, and more.

To register, visit MSNJ’s web site and click on the Events Registration link. Please note that non-MSNJ members who wish to register for the webinar must first create an "new user" account with MSNJ and establish a password to be able to register for the webinar. To create a new user account, visit MSNJ's Events Detail page by clicking here.

Should Health Care Providers Bother with Red Flags?

hoscislawski@foxrothschild.com (Helen Oscislawski) — Thu, 30 Jul 2009 16:29:37 -0500

Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009. The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement. If the ABA were to go down that route, others could follow suit (excuse the pun).

So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . . but should they?

In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers' compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care. In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this.

The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider -- and, thus, should be manageable, both from an administrative and financial standpoint. On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized. The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem.

To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

HIPAA Paranoia Strikes Deep Among Healthcare Providers

wmaruca@foxrothschild.com (William Maruca) — Wed, 29 Jul 2009 08:57:29 -0500

Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:

Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients' privacy rights and complying with the law, deny consumers access to their medical records.

Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.

For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.

Relationship of "Meaningful Use" of EHR, and the Department of Veterans Affairs

mkline@foxrothschild.com (Michael Kline) — Sun, 26 Jul 2009 08:16:21 -0500

[Installment 5 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the fifth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

The other week, two separate and apparently unrelated events occurred on consecutive days with respect to electronic health records (“EHRs”) that dramatically underscore the focus of this series. Governing Boards of hospitals and other stakeholders must place a very high priority in their struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”).

On July 16, 2009, Health Data Management reported that “[t]he federal HIT Policy Committee has approved revised recommendations of a workgroup for an initial definition of ‘meaningful use’ of electronic health records systems. The report goes on to emphasize that “[t]he definition is important because providers must demonstrate meaningful use of EHRs to qualify for Medicare and Medicaid incentive payments starting in 2011 under the economic stimulus law.”

Therefore, health providers will have to meet minimum prescribed standards for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs.

On the following day, July 17, 2009, the federal Department of Veterans Affairs (“VA”) published a press release on its Web site that it will temporarily halt 45 information technology projects which are either behind schedule or over budget. These projects will be reviewed by the VA, and it will be determined whether these projects should be continued. The release goes on to say that each of the 45 affected projects will be temporarily halted with no further development until a new project plan that meets the requirements of Program Management Accountability System is created.

Some of the titles of the VA projects that will be halted include significant EHRs-related projects such as “Health Data Repository II,” “Clinical Data Service,” “Home Telehealth Development,” “Occupational Health Record Keeping System,” “Lab Data Sharing & Interoperability – Anatomic Pathology/Microbiology” and many others.

By simply securing additional funding from Congress, the VA, as an agency of the federal government that is generally a favorite of the legislators, can retool and retrench its EHRs initiatives after making a relatively embarrassing press release and perhaps enduring some criticism and lost time.

The Boards of health care providers do not have the luxuries of the VA. They simply cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. As this blog has stated in earlier installments, the survival of many hospitals is threatened by the uncertainties of possible health care reform, declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT and many other factors. The costs of mistakes for the private sector hospitals are not simply the embarrassment or lost time of the VA. They are the huge outlays for conversion to EHRs and the potential for losing access to the federal stimulus funds.

These questions and others must be properly considered at a high level in the hospital, with committed Board oversight, in order to avoid or mitigate liability and loss that will result from expensive choices made with inadequate or incomplete information.

[To be continued in Installment 6]

Dare to Take-a-Peek? Think Again.

hoscislawski@foxrothschild.com (Helen Oscislawski) — Thu, 23 Jul 2009 14:48:10 -0500

I have said it before, and I will say it again -- employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient's medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008. A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA.

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent's, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate." One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly's file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient's [Ms. Pressly's] status and accessed the medical chart to find out if the patient was still living." The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient's records were accessed 3 times that day by the emergency room secretary. The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days. Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both! In addition, towards the end of the News Release, the local U.S. Attorney prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others' medical records merely to satisfy their own curiosity..."

Does anyone dare to take a peek after that warning?

Securing Protected Health Information (PHI)

mkline@foxrothschild.com (Michael Kline) — Thu, 16 Jul 2009 21:07:21 -0500

[Installment 4 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]. This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Securing PHI

One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.

DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.

Encryption and Destruction of PHI under DHHS Guidelines

DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.

The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.

Board Oversight Obligations to Secure PHI

In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.

Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.

When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.

[To be continued in Installment 5]

Sharing of Electronic Health Records Among Hospitals

mkline@foxrothschild.com (Michael Kline) — Thu, 25 Jun 2009 16:16:18 -0500

[Installment 3 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the third in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. Jim Landers of the Washington Bureau of the Dallas News wrote an article that was published on June 24, 2009, entitled "Administration: Hospitals unwilling to share electronic records will miss out on billions in stimulus funds." His article prompted me to write on the topic as part of this series.

In his article Mr. Landers stated:

The Obama administration's point man on electronic medical records [David Blumenthal, national coordinator for Health Information Technology] warned Tuesday that hospitals unwilling to share such files [electronic health records or EHR] with their competitors would not be eligible for billions of dollars in economic stimulus funds.

Mr. Blumenthal was further quoted by Mr. Landers as follows: “There's a fair amount of money in the law for hospitals that adopt interoperability [the means to share EHRs]. If they don't, they're not likely to be eligible for payment."

Mr. Landers correctly points out that many hospitals would be concerned that such free sharing of EHR among hospitals could give rise to the potential for losing patients to competitive institutions. I believe that, faced with deepening economic pressures and more highly educated patients with abundant choices, hospitals and their governing bodies must be increasingly concerned about material collateral issues that arise from sharing EHR with their competitors.

I would add to the observations of Mr. Landers that embedded in EHR in one form or another could be relatively proprietary financial and business information regarding costs, charges or reimbursement of the hospital and/or treating physicians. In the exchange of EHR among hospitals, such proprietary information could be included. There exists a potential for the violation of antitrust laws for sharing of sensitive pricing and business information among competitors. The effect of such a violation could be a major financial and public relations fiasco for the hospitals. Removal or de-identification of such proprietary information could be costly or relatively impractical. This aspect warrants review by competent legal counsel and information technology and financial experts for the hospital.

The ever-increasing momentum for acceleration of hospital conversion to EHR creates challenges and opportunities for a hospital and its governing board. On the one hand a hospital’s initiatives in this area can possibly make the hospital eligible for stimulus money to assist in the expensive cost of conversion to EHR. On the other hand there must be careful analysis at the governing board level of such an initiative in light of the risks involved.

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability and litigation, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.

Will Too Much "Meaning" = Not Enough Use?

elitten@foxrothschild.com (Elizabeth Litten) — Tue, 23 Jun 2009 16:48:09 -0500

When I first reviewed the Matrix and other documents released by the HIT Policy Committee’s “Meaningful Use” Workgroup, my initial reaction was “When did defining ‘Meaningful Use’ of EHR morph into attempting to use EHRs to ‘meaningfully’ reform the entire healthcare delivery system.”? More simply put, the Workgroup’s initial recommendations seemed to me to be over-ambitious.

The term "Meaningful EHR User" in ARRA (at Title IV, subtitle A, section 4104) is described as "an eligible professional" who meets the following criteria:

demonstrates that he/she is using certified EHR technology in a "meaningful manner, which shall include the use of electronic prescribing";
demonstrates that he/she uses the certified EHR technology to be "connected, in a manner that provides... for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination"; and
submits information on selected "clinical quality measures".

In my view, the first round of "Meaningful Use" requirements should be specific and reasonably achievable by healthcare providers. For example, perhaps the terms could require that the healthcare provider demonstrate how he/she uses electronic prescribing at least 75% of the time; or, how a provider records patient notes and medical encounter information in a certified EHR for no less than 75% of his/her new patient encounters.

Interestingly, the National Coordinator for HIT decided to “send the workgroup back to work on another set [of recommendations]" for defining Meaningful Use soon after the Workgroup released its first set of recommendations. In the second go around, I think that many in the healthcare industry hope to see Meaningful Use criteria that are attainable by healthcare providers on a practical level. Otherwise, the entire premise of the HITECH Act providing incentives to increase EHR adoption could be thwarted.

"Meaningful Use" Comments Due June 26th

hoscislawski@foxrothschild.com (Helen Oscislawski) — Thu, 18 Jun 2009 09:57:23 -0500

The Office of the National Coordinator for Health Information Technology (ONC) is seeking comments on the preliminary definition of “Meaningful Use,” as presented to the HIT Policy Committee on June 16, 2009. Comments on the draft description of Meaningful Use are due by 5:00 pm EST June 26, 2009. Below are links to the HIT Policy Committee's recomendations:

For directions on how to submit comments, visit the HIT Policy Committee's website.

"Meaningful Use" Definition Recommendation Due out June 16th

hoscislawski@foxrothschild.com (Helen Oscislawski) — Thu, 11 Jun 2009 13:36:48 -0500

The HIT Policy Committee is suppose to unveil its recommendations on the definition of "Meaningful Use" of electronic health records (EHRs) on June 16th, reports Health Data Management. Any approved definition of "Meaningful Use" would then be forwarded to the Office of National Coordinator for further consideration.

What will constitute "Meaningful Use" of an EHR has been the subject of much debate and speculation lately because it is a necessary condition that hospitals and physicians must meet in order to qualify for Medicare and Medicaid incentive payments under the American Recovery and Reinvestment Act (ARRA). ARRA initially describes “Meaningful Use” to include:

The use of a certified EHR with ePrescribing capability;
The ability to report on clinical quality measures; and
The use of EHR technology that allows electronic exchange of patient health information.

Further information with regard to required standards, reporting and connectivity levels are to be determined by the Secretary of Health and Human Services, and the Final Rule on the initial definition of "Meaningful Use" is due out by the end of 2009, so stay tuned....