Legal Health Information Exchange

Legal and Practical Implications of Meaningful Use Attestation

knowik@oscislaw.com (Krystyna Monticello) — Tue, 15 May 2012 16:50:01 -0500

With over $4 billion paid out to eligible professionals (EPs) and hospitals under the Medicare and Medicaid EHR Incentive Programs as of March 2012 according to CMS, many hospitals are gearing up for or have recently completed successful Meaningful Use attestation for their first Stage 1 90-day reporting period. The online attestation process itself, as experience shows, is fairly straightforward and can be completed in a short amount of time. But making sure you have everything to support that you were a “meaningful user” during the applicable reporting period requires careful planning and documentation.

Know what you are attesting to. The federal False Claims Act imposes liability on any person submitting a claim to the federal government that he or she knows, or should know, is false. No proof of specific intent to fraud is required and “knowledge” includes (1) actual knowledge of the information; (2) deliberate ignorance of the truth or falsity of the information; or (3) acting in reckless disregard for the truth or falsity of the information. State laws may also result in civil or criminal penalties for false claims.

By attesting, the hospital or EP is submitting a claim for payment from the government. As such, any misrepresentations, material omissions, false claims, statements or documents are subject to prosecution under Federal or State criminal laws and potentially civil penalties. With all hospitals and EPs on the hook for visits from both CMS and the respective State Medicaid auditors, they must be prepared to show proof that they accurately attested to the best of their knowledge to all measures and objectives and other meaningful use requirements having been met.

It is therefore critical, that, before attestation, the hospital or EP reasonably have the knowledge to attest that it was a meaningful user during the applicable EHR reporting period and that all data is (1) accurate and complete to the best of his or her knowledge; (2) includes information on all patients to whom the measure applies; and (3) for CQMs, that the numerators and denominators were generated as output from certified EHR technology.

At an absolute minimum, the hospital or EP must ensure that all measure thresholds were appropriately met, all patients to whom a measure applied were included in the denominator (or properly excluded), and interpretations of any “grey areas” are clearly documented. The hospital or EP should be familiar with any clarifying language in the Preamble to the EHR Incentive Programs Final Rule as well as any relevant and available CMS Frequently Asked Questions.

Other practical considerations to support attestation and defend against potential audit by CMS or the State include:

Have all data readily available that must be entered during the attestation process (e.g., CMS EHR Certification Number, method for calculating ED visits, all applicable numerators and denominators). CMS has made available an Attestation Worksheet for assistance with the online attestation process.

Document all certified EHR technology reports and supplemental data reports, as well as measure checklists, screenshots, test results and any assumptions or processes concerning workflows or interpretations for any given individual measure that support meaningful use during the applicable EHR reporting period. Be prepared to show documentation to support all “yes/no” attestations. For example, documentation for “exchange key clinical information” could include potentially screenshots of the test information that was sent to the third party health care provider and the testing “script” showing the date and success or failure of the exchange.

When using multiple certified EHR systems, CMS as of April 20, 2012 will permit those numerators and denominators generated by the respective certified EHR systems reports to be added together, rather than requiring the hospital or EP to reconcile the reports to account for unique patients as CMS required in the past. If a hospital or EP has already attested and reconciled for unique patients, keep all reports used to aggregate the data and that support the numerators and denominators attested to.

Keep all documentation to support your meaningful use, including to support patient volume thresholds, and incentive payment calculations for the Medicare and/or Medicaid EHR Incentive Programs, for a period of six years from the date of your attestation (three years to support Medicaid Adoption/Implementation/Upgrade payments).

Remember that for hospitals, July 3, 2012 is the last day to begin your 90-day reporting period for Stage 1. Be sure also to keep an eye on both the CMS and your State’s EHR Incentive Program websites for additional information regarding audits or updates to the respective Meaningful Use programs. Subscribing to the CMS EHR Incentive Program Listserv will ensure that you receive any new or updated FAQs from CMS as well as other important information about the EHR Incentive Programs.

Oscislawski LLC and Blass Affiliates have teamed up to help a number of hospitals successfully attest for Meaningful Use Stage 1. The experienced consultants at Blass provide hands-on guidance and software compliance management support to help clients succeed with Meaningful Use through ComplyAssistant, its web-based compliance management tool, and the knowledgeable attorneys at Oscislawski LLC keep on top of Meaningful Use regulatory developments and offer legal interpretation and guidance to clients.

We "Like" Organ Donor Status on Facebook

helen@oscislaw.com (Helen Oscislawski) — Wed, 02 May 2012 15:42:48 -0500

This post has been prepared by Christina Strong, Esq.

The addition of “organ donor status” to Facebook is a tremendous boon for the communication of what is fast becoming a social norm, altruistic donation of one’s body, to take place after death. Unlike other decisions surrounding one’s body, the decision to donate organs is not a health care decision. It is instead, a charitable gift, to be given post-mortem, the legal equivalent to a gift made through a will. While privacy advocates and others in the industry are rightfully concerned about inadequate protection for healthcare decisions provided on the web in general and Facebook in particular, there is no privacy law or issue impacted by listing of donor status of Facebook. First of all, it is extremely unlikely that designation of donor status on Facebook will be considered a document of gift under the Uniform Anatomical Gift Acts of most states. Thus, to state that one is an organ donor on one’s Facebook Timeline is tantamount to saying:

When I die, and if I die in a time frame and manner which allows for the recovery of something from my body, I would like to give something.

It is an expression of general support for a concept, followed by a call to action “Register with your State Donate Life Registry”, and a link to do so. The registration itself takes place on a secure website, which performs legally adequate verification of identity, and information, and in many cases, specific choices as to the scope of the gift. Facebook does not display actual registration or donor information. Facebook displays the expression of generous intent.

A recent article in Bloomberg Businessweek warns consumers to be hyper-aware about managing their own privacy for this information, and suggests that it can be used against them. While it is not entirely clear if the authors of the article are actually concerned about the privacy of a person's "donor status" or have simply confused this expression with the privacy concerns that arise when true medical information is shared, in any case it is important to understand that the Organ Donor "Status" referred to on Facebook is reflecting merely the willingness to give a post-mortem gift. This general willingness, or indeed, even the fact of donor registration does not impact any other aspect of life or health care, any more than a decision to be cremated rather than buried might. One is not treated differently in an insurance policy, an auto accident or at the hospital based on one’s decision, registered or not. One is not declared dead on any different criteria, simply because one has indicated a preference about donation. It is a decision about body disposition, and therefore, not considered health information of any kind, under any law, state or federal. Donor status is a decision people like to share, like “I root for the Giants” or “I support Planned Parenthood”. It loses any conceivable protection at the point where one voluntarily shares it with the public one chooses to share with.

If the article intends to point out that once you put your donor status on Facebook others can see it and judge it according to their own lights, then the authors are absolutely correct. That is the point.

Christina Strong is an attorney in private practice who concentrates in health law, including anatomical gift law, informed consent, healthcare decision-making and healthcare privacy. She is a trustee of Donate Life America, and a registered organ and tissue donor in the State of New Jersey. This means that when she dies, if she dies in a manner and a time frame compatible with donation, her organs can save as many as seven lives, and her tissues may be recovered and used to enhance the lives of hundreds. This is true of her, and 10 million others who have registered their wish to be an organ donor. With the help of Facebook we hope that 10 million more donors will sign up in 2012.

According to FoxNews.com, the FB Donor Status button and link has spurred thousands of new registrations in just the last few days. To learn more how you can register to become an organ donor through Facebook's links to state registries, visit DonateLife's FB page.

Public Comments for Meaningful Use Stage 2 NPRM Due May 7

knowik@oscislaw.com (Krystyna Monticello) — Tue, 01 May 2012 10:48:01 -0500

The clock is ticking for interested parties to submit comments in response to the CMS and ONC Meaningful Use Stage 2 Notices of Proposed Rulemaking (NPRM). The deadline for submission of comments is 5pm on Monday, May 7. CMS has requested public comment on a variety of specific Stage 2 proposed requirements, such as for CQM reporting, transport standards, and the active role of patients proposed for certain objectives and measures. ONC likewise has requested public comment on proposed new and revised standards, implementation specifications and certification criteria. Public comments may also be submitted in general on any of the proposed new or revised Stage 1 and Stage 2 requirements.

For a summary of the changes proposed by the CMS NPRM, check out my previous posts, Proposed Rule for Meaningful Use Stage 2 Released and Meaningful Use Stage 2 Ramps up HIE. Formal comments can be submitted directly online through the respective CMS and ONC NPRM websites. Entities currently participating in or considering participating in the Medicare or Medicaid EHR Incentive Programs are strongly encouraged to submit comments on the NPRMs as feedback is critical for improvement of the EHR Incentive Programs and accomplishing the goals of Meaningful Use.

CMS Updates Meaningful Use FAQs for Multiple Certified EHRs

knowik@oscislaw.com (Krystyna Monticello) — Mon, 23 Apr 2012 08:35:02 -0500

Coming a little too late for hospitals and eligible professionals who have already attested or begun to attest for 2012, CMS has kindly taken a step back on Meaningful Use requirements for accounting for unique patients in calculating numerators and denominators during attestation in the release of an updated FAQ on April 20. Retracting its previous requirement that any hospital attesting with multiple certified EHR technology, or any eligible professional seeing patients at multiple locations with certified EHR technology, reconcile the various reports generated by the certified EHR technology to ensure only "unique patients" were counted in the numerators/denominators, CMS now permits hospitals and eligible professionals to simply add the numerators and denominators from the reports generated by the certified EHR technology.

CMS states,

For objectives that require an action to be taken on behalf of a percentage of "unique patients" (e.g., the objectives of "Record demographics", "Record vital signs", etc.), EPs, eligible hospitals, and CAHs may also add the numerators and denominators calculated by each certified EHR system in order to arrive at an accurate total for the numerator and denominator of the measure. Previously CMS had advised providers to reconcile information so that they only reported unique patients. However, because it is not possible for providers to increase their overall percentage of actions taken by adding numerators and denominators from multiple systems, we now permit simple addition for all meaningful use objectives.

This therefore removes one step from the attestation process, eliminating the need to reconcile various reports to ensure patients aren't counted twice. However, hospitals and eligible professionals still must count any patients whose records are not maintained in certified EHR technology where applicable in order to provide accurate numbers. All of the CMS FAQs are available on the newly designed CMS Frequently Asked Questions page by clicking on the topic "Electronic Health Records Incentive Programs."

Yet Another Medicaid Breach; Emory Loses Back-up Discs

knowik@oscislaw.com (Krystyna Monticello) — Sun, 22 Apr 2012 22:21:35 -0500

This April appears to have been designated "National Breach" month. In what is the second massive breach of Medicaid data this month, over 200,000 South Carolina Medicaid beneficiaries have been notified of a breach of their health information. The South Carolina Department of Health and Human Services discovered on April 10 that an employee had emailed 17 spreadsheets of beneficiary health information to his personal email account, including names, addresses, social security numbers and Medicaid ID numbers, but no medical information.

The former employee and project manager, Christopher Lykes, has since then been fired and arrested, charged with five counts of confidentiality violations under the South Carolina Medically Indigent Assistance Act, and one count of disclosure of confidential information, according to ABC News, Charleston. According to Department of Health and Human Services Director, Anthony Keck, the records were transferred to at least one other person, although it is unknown yet why the information was accessed.

Investigations showed that the information was available through normal reporting processes, however, Department policies and procedures did not require employees to justify needs for information, which has now been rectified by the Department. An external IT consultant has also been hired to conduct a full risk assessment of all data and IT systems.

As I posted earlier this month (see my previous blog, Utah Medicaid Claims Data Hacked), this is the second Medicaid breach this month. Utah, at least, can blame European hackers for the breach, rather than its own policies and procedures, which has since skyrocketed from its original estimate of 24,000 to almost 800,000 Medicaid beneficiaries or individuals who received health services and whose Medicaid status may have been inquired about by their health care provider, as well as CHIP recipients. This makes it one of the top breaches reported over the past few years. The Utah Department of Health has updated its toll-free number for Medicaid clients to call and added additional information about the breach on its website.

And finally, continuing the April breach theme, Emory Healthcare Systems reported this past week that 10 back-up discs went missing from storage at Emory University Hospital, containing data of 315,000 patients, including likely its own CEO's information. Oops. The data related to surgical patients treated at several Emory facilities from September 1990 through April 2007 and contained names, social security numbers, dates of surgery, diagnoses, and surgical codes, as well as names of surgeons and anesthesiologists.

Patients were notified beginning April 17, although the discs went missing sometime in February. Emory stated in its online notice that it does not believe any of the data was or will be misused, as the backup discs were for an obsolute software system long-deactivated by Emory. However, Emory has offered one year of free credit monitoring and has implemented additional security data control measures.

Along with the recent $100,000 settlement agreement between HHS and a Phoenix cardiac surgeons group, these breaches hammer home the need for a comprehensive HIPAA Compliance Program and periodic risk assessments. See Helen's post last week for the significance of this settlement agreement and the steps covered entities can take to protect themselves against breaches and privacy and security violations.

Meaningful Use EP Eligibility Appeals Extended to April 30, 2012

knowik@oscislaw.com (Krystyna Monticello) — Fri, 20 Apr 2012 12:53:17 -0500

As a reminder to eligible professionals (EPs) participating in the Medicare EHR Incentive Program, CMS has extended the deadline within which an EP may file an eligibility appeal to Monday, April 30, 2012. In general, there are three types of appeals afforded to EPs: eligibility appeals, meaningful use appeals, and incentive payment appeals.

Eligibility appeals provide an EP with the chance to show that he or she should have receive an incentive payment as all meaningful use requirements were met, but could not because of circumstances outside of the EP's control. There are two levels of review afforded under the Medicare EHR Incentive Program appeals process:

Informal review;
Request for reconsideration if the EP does not win in the informal review.

EPs should be aware that all relevant issues must be presented in the initial appeal as any issues raised at a later time will not be considered absent special circumstances. When filing an appeal, EPs should be prepared to provide any additional documentation requested within seven (7) calendar days from a request.

CMS strongly encourages EPs and other providers to communicate with OCSQ, the designated appeals coordinator, about any questions on specific issues or providing documentation in order to avoid having an appeal dismissed. Additional guidance on the appeals process is available here. Appeals may be filed through OCSQ.

Cardiac Surgery MD Group Agrees to Pay $100,000 Settlement to HHS for Lack of HIPAA safeguards

helen@oscislaw.com (Helen Oscislawski) — Tue, 17 Apr 2012 16:59:09 -0500

And the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients' PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA's safeguards.

The following April 17, 2012 Press Release is HOT off the presses on HHS' News Release website:

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

The HHS Resolution Agreement can be found on HHS' website here. OCR’s investigation revealed the following specific issues with this group's HIPAA program:

Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;

Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and

Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!

With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act's requirement for percentages being paid out to individuals "damaged" by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual's report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation. I think that might be the point.

But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on www.ohcsolutions.com). Don't forget to also conduct a Security Gap Audit (see www.myhic.net, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don't forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page.

Utah Medicaid Claims Data Hacked Affecting Over 24,000

knowik@oscislaw.com (Krystyna Monticello) — Thu, 05 Apr 2012 13:42:04 -0500

The Utah Department of Health (UDOH) has experienced a data breach of its Medicaid claims data of over 24,000 individuals. The breach was reported to UDOH by the Utah Technology Services Department on Monday, April 2nd, and while the initial hacking is suspected to have occurred on Friday, March 30th, UDOH stated that information began to be removed from the server on Sunday, April 1 (perhaps merely coinciding with April Fools' Day...).

Currently, UDOH suspects the hackers originated from Eastern Europe, and according to Reuters, has been able to pinpoint it to within certain countries. The Department of Technology Services had recently moved the claims data to a new server, and, despite a multi-layered security system, the hackers were able to circumvent and access potentially client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes for billing.

UDOH is still investigating the scope of the breach, and has yet to determine exactly what types of information were compromised as well as the identities of all of the affected Medicaid clients. So far, UDOH believes only one server was hacked. The affected server was shut down, and new security measures implemented, according to Reuters and UDOH.

UDOH is currently advising all Medicaid clients to monitor their credit and bank accounts until those affected can be fully identified and notified. According to KSL.com, Technology Services Executive Director Steve Fletcher said the server had "weaker controls" than the original server it was exchanged for. However, Fletcher stated that the agency will investigate further to assess how the hackers were able to circumvent the security system and do whatever may be necessary to prevent future breaches.

"These hackers are very, very sophisticated and that's one of the things that we want to document so that we can to put more controls in place to make sure that it will not happen again," stated Fletcher.

For more information, check out the UDOH official statement and the Reuters and KSL.com articles.

NeHC Releases Roadmap for Growth and Evolution of HIE, and Legal HIE Listed as a Helpful Resource!

knowik@oscislaw.com (Krystyna Monticello) — Tue, 03 Apr 2012 16:23:41 -0500

Following ONC's release of its Program Information Notice "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program," (the P&S PIN discussed in a previous blog post) the National eHealth Collaborative (NeHC) has released a roadmap for successful and widespread growth of HIE to improve health and healthcare after extensive collaboration with private and public stakeholders (the HIE Roadmap). NeHC is a pubic-private partnership established through a grant from the ONC and is led by some of the nation's most respected thought leaders, and so we were thrilled to discover that our blog, Legal Health Information Exchange, was identified by NeHC as one of only a selected group of "Helpful Resources" found at Exhibit B of its HIE Roadmap. You can register with NeHC to download a copy of the HIE Roadmap here.

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies. It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome.

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE. The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE. Leading HIE organizations are indeed charting new ground. Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160. Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities.

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

Funding and sustainability;
Variations in implementation of interoperability standards;
Provider adoption;
Disparate EMRs; and
Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome." The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups. It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint. Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model.

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face. Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare. Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.

Grantees of HIE Funds Get "PIN-ned" on Privacy, Security and Patient Consent

helen@oscislaw.com (Helen Oscislawski) — Sat, 31 Mar 2012 17:54:17 -0500

On March 22, 2012 HHS/ONC released a new Program Information Notice (PIN) called the "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program" (P&S PIN). The P&S PIN applies to all State Health Information Exchange Cooperative Agreement Program Recipients, including State Designated Entities (SDEs), SDE sub-grantees, and other direct grantees of the federal HIE Cooperative program. Here is a link to the HHS/ONC PIN website.

The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).

Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC's Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE. The FIPs are:

Openness and Transparency
Collection and Use and Disclosure Limitation
Safeguards
Accountability
Individual Access
Correction
Individual Choice
Data Quality and Integrity

Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient's current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.

One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.

The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.

The P&S PIN then further goes on to define “meaningful choice” as including:

Made with advance knowledge
Not used for discriminatory purposes or as condition for receiving treatment
Made with full transparency and education
Commensurate with circumstances for why IIHI is exchanged
Consistent with patient expectations
Revocable at any time

Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27^th, I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE. Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It's also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient's decision-making process is meaningful.

The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008! Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.

For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.