Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Here are the slides from  our February 25, 2010 Webinar on Meaningful Use.  This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  Steve and I discussed:

• Key policy goals and objectives behind meaningful use

• Measures required to achieve meaningful use

• Structure of incentive payments under Medicare and Medicaid

• Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information.  As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized.  OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week.  We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  We will discuss:

• Key policy goals and objectives behind meaningful use

• Measures required to achieve meaningful use

• Structure of incentive payments under Medicare and Medicaid

• Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Washington Post, more than 75,000 computer systems at over 2,500 companies across the world have been hacked in possibly the largest and extremely sophisticated cross-border cyber attack.  The perpetrators appear to be non-state entities operating out of Eastern Europe.  

They lured employees of targeted companies to open attachments containing malware or malicious software ("bots") which track down login and password information stored on those systems.  Experts believe that such login credentials -- which include online banking user information -- are valuable to such hackers.

The attack mostly affected businesses in the United States, Egypt, Mexico, Turkey and Saudi Arabia.  Wall Street Journal named Merck and Cardinal Health among the companies affected.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006.  The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain.  Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information.  Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients.  And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs).  HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Following up on his letter to health IT companies last fall, Senator Chuck Grassley (R-IA) sent a letter to 31 hospitals in the United States to inquire about each hospital's experience with purchasing and implementing health information technology.  According to Healthcare IT News:

Grassley cites reports he’s heard about “difficulties and challenges associated with HIT implementation,” including “administrative complications,” “formatting and usability issues,” “computer errors stemming from the programs themselves,” and problems with “interoperability between programs.”

More specifically, he raises concerns that “when [providers] report such problems to their facilities and/or the product vendors, their concerns are sometimes ignored or dismissed.” Often, he writes, “this is attributed to alleged ‘gag orders’ or non-disclosure clauses in the HIT contract that prohibit health care providers and their facilities from sharing information outside of their facilities regarding product defects and other HIT product-related concerns."

You can find more about Sen. Grassley's letter to hospitals in his office's press release, which includes the full text of the letter.

• Email This
• Print
• Comments
• Trackbacks
• Share Link