Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

HHS extends Stage 2 Meaningful Use deadline to 2014

Posted on November 30, 2011 by Steve Fox and Vadim Schick

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).

Tags: 2, 2014, ARRA, Articles, HHS, HITECH, HITECH Act, Medicare, News, Stage, incentive, meaingful use, payments

CMS issues final rule on ACOs

Posted on October 26, 2011 by Steve Fox and Vadim Schick

On October 20, 2011, CMS published the final rule on Accountable Care Organizations (ACOs) or, as it is formally known, the Medicare Shared Savings Program (the "Program"), enacted as part of the Patient Protection and Affordable Care Act (ACA) of 2010. According to CMS chief Don Berwick, MD, the Program represents an "opportunity to coordinate care among providers," which could "greatly improve the quality of care Medicare beneficiaries receive," and produce substantial savings for the federal government. The Program creates incentives for providers to collaborate in treating an individual patient across care settings, in order to receive a portion of the savings generated from providing such care.

CMS has substantially relaxed the requirements for ACOs originally provided in the proposed rule. Some of the key changes include (among many others):

Adding a "one-side" risk model, allowing providers to participate in the program without risking a loss in the event their ACO did not produce savings
"Preliminary perspective assignment" of Medicare beneficiaries, giving ACOs more control over their Medicare beneficiary population
Reducing the number of performance measures from 65 to 33
Eliminating the two percent threshold for being eligible for shared savings

CMS will begin taking applications for the program on January 1, 2012, with start dates of April 1 and July 1, 2012.

Tags: ACA, ACO, Accountable Care Act, Anti-kickback, Articles, CMS, HHS, IRS, News, Stark, accountable care organization, anti-trust, antitrust

Nemours reports breach affecting 1.6 million individuals

Posted on October 19, 2011 by Steve Fox and Vadim Schick

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, breach, breach notification, credit, data, monitoring

HHS awards over $650 million in EHR incentive payments

Posted on September 26, 2011 by Steve Fox and Vadim Schick

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare. Via Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

Tags: ARRA, Articles, CMS, EHR, EHR Incentive Program, HHS, HITECH Act, Medicaid, Medicare, Medicare incentives, News, incentive, meaingful use

Major data breach at Stanford Hospital

Posted on September 12, 2011 by Steve Fox and Vadim Schick

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

Tags: Articles, California, HIPAA, HITECH Act, News, PHI, Privacy & Security, breach, data, privacy, protection

Study: Most data breaches are caused by insiders

Posted on September 7, 2011 by Steve Fox and Vadim Schick

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).

Tags: Articles, HHS, HIPAA, HITECH, News, OCR, PHI, Privacy & Security, breach, data, insider, notification, report

iPad EHR app certified for meaningful use

Posted on August 1, 2011 by Steve Fox and Vadim Schick

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

Tags: ARRA, Articles, EHR, FDA, HITECH Act, News, ONC-ATCB, Privacy & Security, app, certification, certified, device, drchrono, iPad, mobile

FDA to regulate some mobile health applications

Posted on July 20, 2011 by Steve Fox and Vadim Schick

On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a guidance regarding the agency's plans to regulate select software applications intended for use on mobile platforms (mobile applications or "mobile apps"). According to the Washington Post, the FDA proposed to regulate only those mobile apps which: (1) act as an accessory to a regulated medical device; (2) turn a mobile device or gadget into a regulated device; and/or (3) make suggestions regarding a patient's diagnosis or treatment. Via the Post:

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

'We wanted to make sure that we are consistent in regulating medical devices so nothing has changed,' [FDA policy adviser Baku] Patel said. If 'somebody makes a stethoscope on an iPhone, it doesn’t change the level of oversight we have of a stethoscope.'

FDA's guidance does not establish any legally enforceable responsibilities, but describes FDA's current thinking on this topic and should be viewed only as recommendations. The agency will collect input from manufacturers and healthcare providers over the next 90 days.

You can view the full guidance by clicking here.

Tags: Articles, FDA, News, Privacy & Security, apps, device, mobile, mobile apps

UCLA Health System reaches $865,500 settlement with OCR

Posted on July 7, 2011 by Steve Fox and Vadim Schick

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP).

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Tags: Articles, CAP, HIPAA, HITECH Act, News, OCR, Privacy & Security, Privacy and Security Rules, Rule, Security Rule, UCLA, UCLAHS, corrective action plan, privacy rule, violation

HHS advisory panel recommends delaying Stage 2 Meaningful Use until 2014

Posted on June 10, 2011 by Steve Fox and Vadim Schick

The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).

Via Government Health IT:

The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.

The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.

“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.

As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.

You can find and download the Meaningful Use workgroup's recommendations by clicking here.

Tags: 2014, ARRA, Act, Articles, HHS, HIT, HITECH, HITECH Act, HITPC, Meaningful use, News, Stage, Stage 2, delay

Health IT Law Blog

www.healthitlawblog.com

Post & Schell, P.C.

Allentown

1245 South Cedar Crest Boulevard
Suite 300

Allentown, PA 18103

(610) 433-0193

(610) 433-3972

(fax)

Harrisburg

17 North Second Street
12th Floor

Harrisburg, PA 17101-1601

(717) 731-1970

(717) 731-1985

(fax)

Lancaster

1857 William Penn Way
P.O. Box 10248

Lancaster, PA 17605-0248

(717) 291-4532

(717) 291-1609

(fax)

Philadelphia

Four Penn Center
1600 John F. Kennedy Boulevard

Philadelphia, PA 19103-2808

(215) 587-1000

(215) 587-1444

(fax)

Pittsburgh

One Oxford Centre
301 Grant Street
Suite 4300

Pittsburgh, PA 15219

(412) 577-2972

(412) 577-2973

(fax)

Princeton

Overlook Center
100 Overlook Drive

Princeton, NJ 08540

(609) 924-3333

(609) 924-4144

(fax)

Washington, D.C.

Suite 600
607 14th Street NW

Washington, D.C. 20005-2006

(202) 347-1000

(202) 661-6970

(fax)

Healthcare IT Lawyer & Attorney of Post & Schell Law Firm, offering services related to HIT, health care systems, medical software, HIPAA compliance, EHR software licenses and electronic medical records systems (EMR).