Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We dedicate much of our time to the implications of and regulations stemming out of the American Recovery and Reinvestment Act of 2009 (ARRA).  However, this year's historic health reform legislation ("Affordable Care Act" or "ACA") also contains a number of significant provisions affecting the health IT industry.  (We discussed ACA's health IT provisions in a recent guide to the health reform legislation crafted by the American Health Lawyers Association, which you can fine here.) 

In particular, Section 1561 of the Affordable Care Act tasks the HIT Policy and Standards Committees (established last year pursuant to ARRA) to develop a set of standards which would facilitate enrollment in federal and state health and human services programs, including drafting "standards for electronic matching across state and federal data; retrieval and submission of electronic documentation for verification; reuse of eligibility information; capability for individuals to maintain eligibility information online; and notification of eligibility."

On July 19, 2010, the Enrollment workgroup of these advisory committees issued their recommendations with respect to minimum enrollment standards.  Their recommendations will be the subject of a rule the agency must issue by September 30, 2010.  The workgroup's recommendations include the use of web-based services, easing enrollment procedures for patients, and creating "business rules" (sets of policies and procedures aimed at promoting "the use of standard data elements and verification and help to deal with ambiguity of information and differences in data so program officers can make decisions about eligibility.")

You can learn more about the Enrollment workgroup's recommendations via Healthcare IT News or, in greater detail, via ONC's web site.

"Health IT panel offers first enrollment standards details," Healthcare IT News (July 20, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records.  According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

• Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
• An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
• A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
• CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here.  Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.  This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach.  According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

• $250,000 fine to be paid to Connecticut;

• $500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and

• a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000.  The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut.  Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," TheDay.com (July 6, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Lincoln Medical and Mental Health Center (LMMHC) in New York suffered a major breach affecting 130,495 of its patients, according to a notice provided to HHS.  The breach occurred when the hospital's contractor, Siemens Medical Solutions USA, shipped seven password-protected, but not encrypted, CDs containing patient information via FedEx; and these CDs were subsequently lost in transit.  Via Bloomberg Business Week:

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

<...> Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

LMMHC's breach should serve as a reminder for all healthcare providers currently negotiating health IT contracts to include proper protections in the event its vendor causes a breach or loss of protected data.  This is particularly crucial in the post-HITECH Act era.  

We always include specific compliance with privacy laws warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss.  LMMHC's example clearly illustrates that providers must insist on such protections -- often, over strenuous objections from vendors -- because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"New York hospital loses data on 130,000 via FedEx," Bloomberg Business Week (June 29, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians' Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act.  Via Healthcare IT News:

Under the Physician Quality Reporting Initiative (PQRI), physicians who participate in Medicare can receive incentives for reporting various quality measures, a select number of which are aimed at those who want to report using EHRs.

Providers who become meaningful users of EHRs, as laid down by the American Recovery and Reinvestment Act (ARRA), will also be eligible for incentive payments. A final rule on that is expected soon.

CMS has requested public comment on how it should integrate the two programs, included within a proposed rule about changes in Medicare physician payments for 2011 CMS expects to publish the proposed rule July 13.

"In an effort to align PQRI with the EHR incentive program, we propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals," the proposed rule says.

Meaningful use measures that physicians could use for PQRI reporting through electronic health records include such things as blood pressure measurement for hypertension, body mass index screening and prevention care follow up, and drugs to be avoided in the elderly, according to CMS.

You can find a copy of the proposed rule here.

"CMS to two align quality reporting programs," Healthcare IT News (June 29, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link