Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

Via HHS Press Release:

The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.

Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT  vendors.  In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Data journalist David McCandless gave a brilliant talk about data analysis and visualization at this year's TED conference in Oxford, England.  What kind of stories will the newly collected electronic health data tell us about the human body and mind? If the nationwide EMR adoption proceeds according to plan, we will, for the first time, have enormous amount of health information available for analysis.  Data design and visualization will be key to our discovering and understanding of the often-hidden truths contained in raw data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges.  Via Bloomberg Business Week:

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards.  You can read more about the proposed standards after the jump, and can read the letter in full by clicking here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a "cloud."  Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations.  However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:

• Access: who has access to your information (including your patients' protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider's records, and only in accordance with the scope of the agreement between the parties.
   
• Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, "GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down - giving records holders 30 days' notice to reclaim their data or lose it. This caused a great number of problems." While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider's data in its possession in the format specified by the provider.
   
• Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: "Allscripts' MyWay service costs $700 per month per health care provider. GE Healthcare's new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Via NIST:

In efforts to help the nation's health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see "NIST, Partners Develop Testing Infrastructure for Health IT Systems," NIST Tech Beat for March 16, 2010, at http://www.nist.gov/itl/hit_031610.cfm), the approved and finalized testing procedures are now available for use.

Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor's offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to "meaningful use," performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.

Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see http://healthcare.nist.gov/use_testing/finalized_requirements.html and http://healthit.hhs.gov/certification
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CMS launched a very useful Web site, http://www.cms.gov/EHRIncentiveprograms, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act.  The site provides up-to-date, detailed information and many important links and "fact sheets" about the incentive programs, including overviews of CMS's final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.  

It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

• Email This
• Print
• Comments
• Trackbacks
• Share Link