ARRA : Health IT Law Blog

HHS extends Stage 2 Meaningful Use deadline to 2014

Posted on November 30, 2011 by Steve Fox and Vadim Schick

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).

Tags: 2, 2014, ARRA, Articles, HHS, HITECH, HITECH Act, Medicare, News, Stage, incentive, meaingful use, payments

HHS awards over $650 million in EHR incentive payments

Posted on September 26, 2011 by Steve Fox and Vadim Schick

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare. Via Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

Tags: ARRA, Articles, CMS, EHR, EHR Incentive Program, HHS, HITECH Act, Medicaid, Medicare, Medicare incentives, News, incentive, meaingful use

iPad EHR app certified for meaningful use

Posted on August 1, 2011 by Steve Fox and Vadim Schick

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

Tags: ARRA, Articles, EHR, FDA, HITECH Act, News, ONC-ATCB, Privacy & Security, app, certification, certified, device, drchrono, iPad, mobile

HHS advisory panel recommends delaying Stage 2 Meaningful Use until 2014

Posted on June 10, 2011 by Steve Fox and Vadim Schick

The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).

Via Government Health IT:

The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.

The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.

“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.

As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.

You can find and download the Meaningful Use workgroup's recommendations by clicking here.

Tags: 2014, ARRA, Act, Articles, HHS, HIT, HITECH, HITECH Act, HITPC, Meaningful use, News, Stage, Stage 2, delay

HHS issues proposed rule on accounting of PHI disclosures

Posted on June 1, 2011 by Steve Fox and Vadim Schick

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:

'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

You can view and download the proposed rule by clicking here.

Tags: ARRA, Accounting, Articles, HIPAA, HIPAA Privacy Rule, HITECH Act, NPRM, News, Privacy & Security, disclosures, proposed rule

Audit criticizes OCR and ONC over data privacy efforts

Posted on May 19, 2011 by Steve Fox and Vadim Schick

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.) Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

Tags: ARRA, Articles, HHS, HIPAA, News, OCR, OIG, ONC, Privacy & Security, Rule, audit, privacy, security

Updates to privacy and security regulations expected soon

Posted on May 16, 2011 by Steve Fox and Vadim Schick

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.

The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.

Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HITECH, HITECH Act, News, OCR, Privacy & Security, Privacy and Security, Security Rule

Medicare EHR incentives attestation to begin on April 18, 2011

Posted on March 29, 2011 by Steve Fox and Vadim Schick

CMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.

CMS also released a preview of the Attestation System. This preview includes attestation screenshots and is intended to give examples of what the attestation process will look like. CMS promised to release additional information about the attestation process soon, including "User Guides" that will give step-by-step instructions for completing attestation, along with educational webinars that describe the attestation process in depth.

Finally, CMS noted that providers will follow a similar process using their state's Attestation System. Such providers may find their state's scheduled launch dates of their Medicaid EHR Incentive Program by clicking here.

You can download the preview by clicking here.

For more information, please visit CMS's EHR Incentive Program web site.

Tags: ARRA, Articles, Attestation System, CMS, EHR, EHR Incentive, HITECH Act, Medicaid, Medicare, News, ONC, attestation, meaingful use, preview, program

Blumenthal to leave ONC this spring

Posted on February 4, 2011 by Steve Fox and Vadim Schick

Dr. David Blumenthal, the head of the Office of the National Coordinator for Health IT (ONC), announced yesterday in a letter to his staff that he's leaving the ONC and returning to his position at Harvard University.

According to Dr. Blumenthal, the move was "planned" and is expected to take place this spring. Here is a copy of his letter, via Healthcare IT News:

ONC Staff:

As you know, I have told Secretary Sebelius that I will be returning to my academic home this spring, as was planned when I accepted the position of National Coordinator for Health Information Technology. While we still have important work to do together, including the assurance of a productive transition for ONC, now is the time for me to express my deep gratitude to all of my ONC colleagues, and my admiration for all you have accomplished.

We have been privileged to be at the center of a great new enterprise at an historic moment in our health care system. For years America’s health policy leaders have understood that information technology offered the opportunity for transformational improvement of the Nation’s health care system and the health of individual Americans. Yet the obstacles are formidable: our fractured health care system, our dysfunctional payment methods, the lack of an infrastructure for exchanging health information, and more.

Tags: ARRA, Articles, Blumenthal, HITECH Act, News, ONC, office of national coordinator

GOP bill proposes repeal of HITECH Act

Posted on January 28, 2011 by Steve Fox and Vadim Schick

Via Healthcare IT News:

The Spending Reduction Act of 2011 (H.R. 408), introduced on January 24 by Rep. Jim Jordan (R-Ohio), seeks to reduce federal spending by $2.5 trillion over the coming decade. As it does so, it singles out many federal programs for elimination.

Section 302 of the bill, titled "REPEAL OF CERTAIN STIMULUS PROVISIONS," states that "effective on the date of the enactment of this Act, subtitles B and C of title II and titles III through VII of division B of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5) are repealed, and the provisions of law amended or repealed by such provisions of division B are restored or revived as if such provisions of division B had not been enacted."

Since the Medicare and Medicaid EHR Incentive Programs set up under the ARRA/HITECH Act of 2009 fall under division B, it would appear that the $27 billion earmarked for disbursement to healthcare providers to spurring EHR adoption would fall on the chopping block were the bill to ever pass.

For good measure, Jordan's Republican Study Committee also decrees that the enacted legislation would "further prohibit any FY 2011 funding from being used to carry out any provision of the Democrat government takeover of health care, or to defend the health care law against any lawsuit challenging any provision of the act.

Tags: ARRA, Articles, Congress, EHR Incentive Program, HIMSS, HITECH, HITECH Act, Incentives, Jordan, Meaningful use, News, Spending Reduction Act of 2011

Registration for CMS EHR Incentive program is now open

Posted on January 11, 2011 by Steve Fox and Vadim Schick

Center for Medicare and Medicaid Services (CMS) opened the registration process for eligible hospitals and professionals hoping to capitalize on the incentive payments provided under the HITECH Act. Each such hospital or professional needs to register with CMS in order to receive such payments, and CMS encourages all eligible healthcare providers to register as soon as possible.

You can find the EHR Incentives Program registration page by clicking here.

According to Government Health IT, over 4,000 providers have already registered with CMS. Several states have also launched registrations for their Medicaid incentive programs. Moreover, hospitals in Oklahoma and Kentucky have already begun receiving incentive payments:

Kentucky processed payment to the University of Kentucky Healthcare, the university’s teaching hospital, for $2.86 million. The first payment amounts to one- third of the hospital’s overall expected amount for participating in the program, according to CMS. Oklahoma issued payments to two physicians at the Gastorf Family Clinic of Durant, Okla., for $21,250 each for having adopted certified EHRs.

Besides Kentucky and Oklahoma, registration is available for the Medicaid EHR incentive program in Alaska, Iowa, Louisiana, Michigan, Mississippi, North Carolina, South Carolina, Tennessee and Texas.

In February, registration will open in California, Missouri, and North Dakota. Other states will likely launch their Medicaid EHR incentive programs during the spring and summer of 2011.

You can learn more about registration for Medicare incentives for eligible professionals by clicking here; and for Medicaid incentives for eligible professionals by clicking here. A similar CMS guide for both Medicare and Medicaid incentives for eligible hospitals can be found here.

Tags: ARRA, Articles, CMS, EHR, EHR Incentive Program, HITECH Act, Meaningful use, Medicaid, Medicaid incentives, Medicare, Medicare incentives, News, eligible hospital, eligible professional, incentive payment, registration

New York State plans country's largest health information network

Posted on December 15, 2010 by Steve Fox and Vadim Schick

Via Democrat and Chronicle (Rochester):

The New York state Department of Health and a public-private partnership called New York eHealth Collaborative, or NYeC (pronounced "nice"), recently announced plans to spend $129 million in state and federal money to create a statewide network for electronic medical records, to be complete in 2014. Like the highways, they envision the network as a public utility that will allow medical providers anywhere in the state to view — with your permission — a list of your medications, any allergies and any recent X-rays or other tests that could help guide your care. The e-records network would be the largest in the country, dwarfing networks of other states and the Veterans Administration.

The planned statewide network, called Statewide Health Information Network for New York or SHIN-NY, is intended to serve more than 200 hospitals, thousands of medical practitioners and up to 20 million patients a year.

You can read more about NYeC here.

Tags: ARRA, Articles, EHR, HIE, HITECH Act, NYeC, New, News, PHR, Privacy & Security, RHIO, York, health information network

White House Panel Issues Report on Health IT

Posted on December 10, 2010 by Steve Fox and Vadim Schick

On December 8, 2010, President's Council of Advisors on Science and Technology (PCAST) issued its report on the importance of widespread adoption and use of health IT to improve healthcare delivery and reduce costs. The report concluded that:

information technology can help catalyze a number of important benefits including improved access to patient data, which can help clinicians as they diagnose and treat patients and patients themselves as they strive to take more control over their health; streamlined monitoring of public health patterns and trends; an enhanced ability to conduct clinical trials of new diagnostic methods and treatments; and the creation of new hightechnology markets and jobs. Health information technology can also help support a range of healthcare related economic reforms needed to address our Nation’s longterm fiscal challenges.

PCAST also recommended "nationwide adoption of a universal exchange language for healthcare information and a digital infrastructure for locating patient records while strictly ensuring patient privacy," and tasked CMS and ONC with developing guidelines "to spur adoption of such a language and to facilitate a transition from traditional electronic health records to the use of healthcare data tagged with privacy and security specifications."

You can view PCAST's press release here.

You can view PCAST report here.

Tags: ARRA, Articles, HITECH Act, IT, News, PCAST, exchange, health, health IT, HIT, universal, , language", universal

GAO report: EHRs can improve patient care

Posted on November 30, 2010 by Steve Fox and Vadim Schick

The U.S. Government Accountability Office (GAO) released its report on integrated delivery systems (IDSs) in healthcare. The report found that electronic health record systems (EHRs) are able to improve patient care among such IDSs.

Via GAO:

Some IDSs said that using EHRs supports their patient care strategies such as care coordination, disease management, and use of care protocols by increasing the availability of individual patient and patient population data and by improving communication among providers.

All 15 IDSs which took part in this study have implemented EHR systems. Mayo Clinic, one of the participants, reported that "the EHR helps avoid overutilization and duplication of services." Several other IDSs reported significant savings because of EHR use, including Marshfield Clinic in Wisconsin, which reported that its e-prescribing feature reduced "errors related to illegible handwriting and unintentional drug interactions." In addition, Marshfield's EHR requires physicians to consider appropriate "preferred alternatives" for prescription drugs, saving payers and patients $2.5 million in 1 year.

You can find the full report here.

"Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care, but Systems Face Challenges," U.S. Government Accountability Office, GAO-11-49 November 16, 2010.

Tags: ARRA, Articles, CPOE, EHR, EHRs, GAO, HITECH Act, IDS, News, care coordination, e-prescribing, improve care, improve patient care, patient communications, savings

Study: Data Breaches Cost U.S. Hospitals Billions

Posted on November 10, 2010 by Steve Fox and Vadim Schick

A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals: on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.

Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.

71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

Tags: ARRA, Articles, HITECH, HITECH Act, News, Privacy & Security, data breach, data loss, privacy, security, training, training staff

U.S. healthcare providers hesitant about "offshoring" EHRs to India

Posted on November 3, 2010 by Steve Fox and Vadim Schick

Will American healthcare providers, like major companies in other sectors of the economy, outsource their electronic medical records systems and maintenance offshore, especially to an established tech industry in India? According to the Wall Street Journal, Indian technology vendors face a significant amount of skepticism regarding outsourcing health IT to India.

While major tech companies routinely utilize data centers, service desk and other products and services in India, healthcare providers are not used to such outsourcing arrangements. Indian IT companies like HCL, InfoSys, and Wipro are trying to tap into the booming health IT market in the United States. However, they face a number of important challenges, including concerns over privacy, security and integrity of protected data, breadth of experience in the industry,and ease of implementation of such systems. One prominent CIO described this challenge succinctly in the Journal:

Designing and installing new medical systems 'is hard to do off site, let alone offshore,' says Darren Dworkin, chief information officer of Cedars-Sinai Medical Center in Los Angeles. Cedars-Sinai is close to finishing a four-year, $100-million project to install an electronic medical-records system. Mr. Dworkin says that 80% to 90% of the work isn't the sort of commodity coding that is easily outsourced, instead requiring an intimate knowledge of the hospital's terminology and how its doctors and nurses work.

You can read the full article by clicking here.

"Qualms Arise Over Outsourcing Of Electronic Medical Records," Wall Street Journal (November 2, 2010).

Tags: ARRA, Articles, EHR, EMR, News, Privacy & Security, electronic health records, offshore, offshoring, outsource, outsourcing

Our column in Government Health IT on RECs and HIT contracts

Posted on October 29, 2010 by Steve Fox and Vadim Schick

Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs. Via Government Health IT:

RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.

With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.

In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.

You can read the full column by clicking here.

Tags: ARRA, Articles, EHR, Government Health IT, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security, REC, Regional Extension center, agreement, best practices, contract, incentive, negotiating

WSJ: Major consolidation among HIT vendors likely

Posted on October 28, 2010 by Steve Fox and Vadim Schick

The HITECH Act added over $27 billion to an industry whose publicly trading companies' market cap is below that, around $25 billion. Such dramatic expansion of the industry will likely lead to significant consolidation among HIT vendors. We have already seen a merger between Eclypsis and Allscripts this summer (which became final last month); and now Cerner, another leading HIT vendor, entered into a partnership with MedAssets, Inc., a company that has specialized Internet-based financial improvement systems. Via the Journal:

As that funding makes its way to health-care IT companies, it's likely to necessitate a lot more consolidation in an industry that's currently very fragmented. For instance, hospitals are not only looking to reduce the
number of different IT systems they use in-house, they also want more seamless ways of connecting to doctors' offices and insurers.

"We're at the beginning of the single fastest transformation of any industry in U.S. history," said Glen Tullman, chief executive of the health-care IT company Allscripts Healthcare Solutions Inc. (MDRX). <...> Tullman said he expects a lot more deals to come in the industry. He said that some of that consolidation will likely take place among the companies that provide IT systems to hospitals, a list that
includes Allscripts, privately held Epic Systems Corp., General Electric Co. (GE), Cerner, Germany-based Siemens AG (SI), McKesson Corp. (MCK) and privately held Medical Information Technology Inc., commonly known as Meditech. Tullman declined to comment on what companies he expects to make deals.

You can read more at the Wall Street Journal web site here.

"Health-Care IT Sector Shaking Up As Medical World Goes Digital," Wall Street Journal (October 15, 2010).

Tags: ARRA, Allscripts, Articles, Cerner, Eclypsis, GE, HIT, HITECH Act, IT, McKesson, Meditech, News, consolidation, health, healthcare, merger, vendor

CCHIT certifies 19 complete EHRs and 14 EHR modules

Posted on October 4, 2010 by Steve Fox and Vadim Schick

On October 1, 2010, CCHIT announced certifications of 19 "complete" EHR products, including, for example, Epic products for both hospitals and eligible professionals, and Allscripts and GE Centricity products for eligible professionals.

CCHIT also certified 14 "module" EHR products, from vendors which applied for certification of their products as complete EHRs "but testing could not be completed on a small number of criteria (such as electronic prescribing) because planned updates to the test procedures by NIST were not available at the time of testing." Such "EHR Module" certified products may seek certification as a complete EHRs in the near future. Via Healthcare IT News:

The Certification Commission for Health Information Technology announced Oct. 1 that it has tested and certified 33 Electronic Health Record products under the ONC-ATCB program.

CCHIT is one of three Approved Testing and Certification Bodies, designated by the Office of the National Coordinator (ONC). The other two are the Drummond Group and InfoGard Laboratories, Inc.

The ATCBs certify that the EHRs are capable of meeting the 2011/2012 criteria supporting Stage 1 meaningful use. Certification is required to qualify eligible providers and hospitals for funding under the American Recovery and Reinvestment Act (ARRA).

The CCHIT certifications include 19 Complete EHRs, which meet all of the 2011/2012 criteria for either eligible provider or hospital technology, and 14 EHR Modules, which meet one or more – but not all – of the criteria.

"CCHIT announces 33 certifications," Healthcare IT News (October 1, 2010).

Tags: 1, ARRA, Articles, CCHIT, HITECH Act, Meaningful use, News, ONC, ONC-ATCBs, Stage, certification

Free Webinar: HIPAA Privacy & Security Rules Update

Posted on September 20, 2010 by Steve Fox and Vadim Schick

On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with Kroll Fraud Solutions, will present a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick will highlight the key provisions in the NPRM, including:

New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
Providing patients with e-copies of their PHI
Extension of HIPAA Privacy and Security Rules to business associates
Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, who will discuss the practical implications of this new set of regulations on covered entities and business associates, including:

Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
Reviewing current contractual agreements and relationships with business associates and their subcontractors
Training staff of the organization
Breach preparedness and breach response

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the webinar: register now. After registering, you will receive log-in information for this webinar by
e-mail.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, HITECH Act, News, Privacy & Security

CCHIT to launch certification process on September 20, 2010

Posted on August 31, 2010 by Steve Fox and Vadim Schick

According to Karen Bell, MD, chair of the Certification Commission on Health Information Technology (CCHIT), her organization will begin accepting applications for HHS certification as early as September 20, 2010. Via Healthcare IT News:

CCHIT is authorized to offer HHS certification for complete EHRs that meet all of the Stage 1, 2011/2012 HHS/ONC criteria, as well as certification for modular EHR products that meet one or more - but not all - of the criteria, Bell said.

According to Bell, CCHIT plans to launch its authorized HHS certification program on Sept. 20 at 1 p.m. Eastern time with a Town Call Webcast describing its application and testing process. CCHIT will take new health IT developer applications immediately after the Webcast and the first group of HHS certified complete EHRs and EHR modules will be announced within weeks of that launch.

In addition to HHS certification, CCHIT will continue to offer its CCHIT Certified program for ambulatory and inpatient EHR products that exceed the HHS/ONC criteria and are designed for hospitals and physician practices that are looking for assurance of more robust, integrated EHR products to support the unique needs of its clinicians and patients. Many of these products will also be HHS certified, Bell said.

You can read more about CCHIT's plans here.

Tags: ARRA, Articles, CCHIT, EHR, EMR, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, acute, ambulatory, certification, meaningful, testing, use

CCHIT and Drummond picked as ONC-ATCBs

Posted on August 31, 2010 by Steve Fox and Vadim Schick

Via HHS Press Release:

The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.

Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”

Tags: ARRA, ATCB, Articles, EHR, EMR, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, certification, meaningful, testing, use

Steve Fox interviewed by InformationWeek about EHR contracts

Posted on August 24, 2010 by Vadim Schick

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT vendors. In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.

Tags: ARRA, Articles, EHR, HITECH, HITECH Act, Meaningful use, News, PHI, Privacy & Security, agreement, contract, data, negotiating, privacy, protection, provision, warranties

Advisory panel submits recommendations to HIT Policy Committee regarding health data exchanges

Posted on August 20, 2010 by Steve Fox and Vadim Schick

On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges. Via Bloomberg Business Week:

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards. You can read more about the proposed standards after the jump, and can read the letter in full by clicking here.

Tags: ARRA, Articles, HIT, HIT Policy Committee, HITECH Act, News, ONC, Privacy & Security, Privacy and Security, consent, health data exchange, health information exchange, meaningful consent

eWeek: Top 10 Reasons to avoid EHRs stored in a "cloud"

Posted on August 19, 2010 by Steve Fox and Vadim Schick

eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a "cloud." Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations. However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:

Access: who has access to your information (including your patients' protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider's records, and only in accordance with the scope of the agreement between the parties.
Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, "GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down - giving records holders 30 days' notice to reclaim their data or lose it. This caused a great number of problems." While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider's data in its possession in the format specified by the provider.
Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: "Allscripts' MyWay service costs $700 per month per health care provider. GE Healthcare's new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive."

Tags: ARRA, ASP, Articles, HITECH Act, News, Privacy & Security, SaaS, agreement, cloud, cloud computing, contracting, contracts, electronic health records, electronic medical records, negotiate

NIST Publishes Approved Testing Procedures for EHRs

Posted on August 19, 2010 by Steve Fox and Vadim Schick

Via NIST:

In efforts to help the nation's health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see "NIST, Partners Develop Testing Infrastructure for Health IT Systems," NIST Tech Beat for March 16, 2010, at http://www.nist.gov/itl/hit_031610.cfm), the approved and finalized testing procedures are now available for use.

Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor's offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to "meaningful use," performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.

Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see http://healthcare.nist.gov/use_testing/finalized_requirements.html and http://healthit.hhs.gov/certification

Tags: ARRA, Articles, Certified EHR, EHR, HITECH Act, NIST, News, Privacy & Security, certification, certification process, certifying body, electronic health records

CMS launches web site for incentive payment programs

Posted on August 11, 2010 by Steve Fox and Vadim Schick

CMS launched a very useful Web site, http://www.cms.gov/EHRIncentiveprograms, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act. The site provides up-to-date, detailed information and many important links and "fact sheets" about the incentive programs, including overviews of CMS's final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.

It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.

Tags: ARRA, Articles, CMS, EHR, HITECH, HITECH Act, Medicaid, Medicare, News, incentive, incentive payment, meaningful, program, use

Final breach notification rules delayed

Posted on July 29, 2010 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009.

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010. However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery. However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

Tags: ARRA, Articles, HIPAA, HITECH, HITECH Act, Higher Ed, News, Privacy & Security, breach notification, enforcement, harm threshold, privacy, risk of harm

Rite Aid settles FTC and OCR privacy charges

Posted on July 29, 2010 by Steve Fox and Vadim Schick

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe.

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public. Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed. Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

Tags: ARRA, Articles, CVS, FTC, HHS, HIPAA, HIPAA Privacy Rule, HITECH Act, Higher Ed, News, OCR, Privacy & Security, Rite Aid, corrective action plan, disposal, dumpster, privacy, security, settlement

Enrollment standards recommendations released

Posted on July 20, 2010 by Steve Fox and Vadim Schick

We dedicate much of our time to the implications of and regulations stemming out of the American Recovery and Reinvestment Act of 2009 (ARRA). However, this year's historic health reform legislation ("Affordable Care Act" or "ACA") also contains a number of significant provisions affecting the health IT industry. (We discussed ACA's health IT provisions in a recent guide to the health reform legislation crafted by the American Health Lawyers Association, which you can fine here.)

In particular, Section 1561 of the Affordable Care Act tasks the HIT Policy and Standards Committees (established last year pursuant to ARRA) to develop a set of standards which would facilitate enrollment in federal and state health and human services programs, including drafting "standards for electronic matching across state and federal data; retrieval and submission of electronic documentation for verification; reuse of eligibility information; capability for individuals to maintain eligibility information online; and notification of eligibility."

On July 19, 2010, the Enrollment workgroup of these advisory committees issued their recommendations with respect to minimum enrollment standards. Their recommendations will be the subject of a rule the agency must issue by September 30, 2010. The workgroup's recommendations include the use of web-based services, easing enrollment procedures for patients, and creating "business rules" (sets of policies and procedures aimed at promoting "the use of standard data elements and verification and help to deal with ambiguity of information and differences in data so program officers can make decisions about eligibility.")

You can learn more about the Enrollment workgroup's recommendations via Healthcare IT News or, in greater detail, via ONC's web site.

"Health IT panel offers first enrollment standards details," Healthcare IT News (July 20, 2010).

Tags: "enrollment, ACA, ARRA, Affordable Care Act, Articles, HITECH Act, News, enrollment, health reform, health reform legislation, standards

CMS issues final rules on Meaningful Use

Posted on July 13, 2010 by Steve Fox and Vadim Schick

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records. According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.

An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.

A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010

CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here. Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Steve Fox and Vadim Schick

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules." Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy, HIPAA Security, HITECH, HITECH Act, NPRM, News, ONC, PHI, Privacy & Security, breach, data, enforcement, privacy, security

CMS plans to integrate quality reporting programs under Medicare and HITECH Act

Posted on July 1, 2010 by Steve Fox and Vadim Schick

As required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians' Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act. Via Healthcare IT News:

Under the Physician Quality Reporting Initiative (PQRI), physicians who participate in Medicare can receive incentives for reporting various quality measures, a select number of which are aimed at those who want to report using EHRs.

Providers who become meaningful users of EHRs, as laid down by the American Recovery and Reinvestment Act (ARRA), will also be eligible for incentive payments. A final rule on that is expected soon.

CMS has requested public comment on how it should integrate the two programs, included within a proposed rule about changes in Medicare physician payments for 2011 CMS expects to publish the proposed rule July 13.

"In an effort to align PQRI with the EHR incentive program, we propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals," the proposed rule says.

Meaningful use measures that physicians could use for PQRI reporting through electronic health records include such things as blood pressure measurement for hypertension, body mass index screening and prevention care follow up, and drugs to be avoided in the elderly, according to CMS.

You can find a copy of the proposed rule here.

"CMS to two align quality reporting programs," Healthcare IT News (June 29, 2010).

Tags: ARRA, Articles, CMS, HITECH, HITECH Act, Medicare, News, PQRI, incentive, incentive payments, quality reporting

Breaking: ONC releases final rule on temporary EHR certification

Posted on June 18, 2010 by Steve Fox and Vadim Schick

On June 18, 2010, the Office of National Coordinator for Health IT issued a final rule, 45 CFR Part 170, establishing a temporary EHR certification program for the purposes of testing and certifying health information technology.

The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR
Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid EHR Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.

You can find the new final rule here.

You can find ONC's "Fact Sheet" and Q&A regarding certification here.

Tags: ARRA, Articles, EHR, EHR certification process, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, certification, temporary, temporary EHR certification, temporary certification program

Updated: breaches and fines on the rise

Posted on June 16, 2010 by Steve Fox and Vadim Schick

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010. Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year. We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.” Information lost included not only PHI, but also Social Security numbers and even credit card data. The records on the laptop were password protected, but they were not encrypted. The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge. The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information.

Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees. On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009. Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

Tags: ARRA, Articles, California, California department of public health, HIPAA, HITECH, HITECH Act, News, PHI, Privacy & Security, breach, breach notification, privacy, security

HLM: OCR to release privacy and security rules in two weeks

Posted on June 16, 2010 by Steve Fox and Vadim Schick

Via Health Leaders Media:

OCR will release proposed rules later this month [or 'about two weeks or around June 26th'] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).

<...> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding "willful neglect" (penalty tiers).

Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.

The state alliance also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.

OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.

"Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the "Quiz the Regulator" session on June 7.

"State Alliance: Proposed HITECH Regulations Coming in Two Weeks," Health Leaders Media (June 15, 2010).

Tags: ARRA, Articles, HIPAA, HITECH Act, News, OCR, Privacy & Security

ONC approves Maryland's HIT plan

Posted on June 14, 2010 by Steve Fox and Vadim Schick

On June 7, 2010, Maryland's Lt. Governor Anthony Brown announced that the Office of National Coordinator for Health IT approved Maryland's State Health IT plan, allowing the state to move forward to implement a functional health information exchange (HIE). According to the Washington Business Journal, ONC will release $25 million in ARRA funds to Maryland, to be used in connection with the state's HIE:

Proponents of the exchange say it will cut costs and improve health care quality by streamlining the transfer of electronic health data between hospitals, physicians and patients.

The Chesapeake Regional Information System for our Patients, the nonprofit tasked with implementing the exchange, has already begun work with $10 million in state money. The federal approval leaves the plan's funding "fully unrestricted," said CRISP Program Director Scott Afzal, allowing them to broaden the goals of the exchange and engage more hospitals. Much of their work lies in finding health care providers to sign on to the exchange when there is no state or federal legal requirement to do so, according to Afzal.

'We have to show a value proposition to connect,' he said.

The project is estimated to cost roughly $20 million, although it will be scoped to available funding.

Tags: ARRA, Articles, CRISP, Chesapeake, HIE, HITECH, HITECH Act, News, ONC, Recovery Act

Allscripts and Eclipsys announce $1.3B merger

Posted on June 14, 2010 by Steve Fox and Vadim Schick

Allscripts and Eclipsys announced a $1.3 billion merger, which some analysts tout as a match "made in heaven" due to Allscripts's strength in the ambulatory space and Eclipsys's strength on the acute side. The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees. The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues. However, analysts believe that Allscripts's smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.

Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA. According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019.

This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.

"Allscripts-Eclipsys: 'A match made in heaven' - mostly," Healthcare IT News (June 10, 2010).

Tags: ARRA, Allscripts, Articles, EHR, Eclipsys, HITECH, HITECH Act, News, Privacy & Security, consolidation, merger

Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

Posted on May 25, 2010 by Steve Fox and Vadim Schick

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act. The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much.

Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

27 percent of the health care organizations had not started and were “barely aware” of what was required;
32 percent of the organizations were waiting for more details;
14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
21 percent of the organizations surveyed were just beginning to act on becoming compliant;
79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).

Tags: ARRA, Articles, Covered Entities, HIIPAA, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, business associate

Medical associations sue FTC over Red Flags Rule

Posted on May 24, 2010 by Steve Fox and Vadim Schick

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations. FTC is to begin enforcement of the Rule on June 1, 2010. Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA. According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Tags: AMA, ARRA, Articles, FTC, HIPAA, HITECH Act, News, Privacy & Security, Red Flags Rule, identity theft, privacy

OCR adds investigators to boost security rule enforcement

Posted on May 13, 2010 by Steve Fox and Vadim Schick

According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules.

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).

Tags: ARRA, Act, Articles, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, OCR, Privacy & Security

Prison sentence for hospital employee who breached patient privacy

Posted on May 4, 2010 by Vadim Schick

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA. According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).

Tags: ARRA, Articles, HIPAA, HIPAA breach, HIPAA violation, HITECH Act, News, Privacy & Security, privacy, security

In the news: patient privacy edition

Posted on April 28, 2010 by Steve Fox and Vadim Schick

HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).

Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."

Tags: ARRA, Articles, HHS, HITECH Act, News, OCR, PHI, Privacy & Security, breach, breach notification, consent

Wall Street Journal on EMRs and HIEs

Posted on April 22, 2010 by Steve Fox and Vadim Schick

On April 13, 2010, the Wall Street Journal published two fascinating articles on health information technology issues. In "Can Technology Cure Health Health Care?" author Jacob Goldstein examined the complexities and major risks of adopting electronic medical records. Goldstein also suggested a few high-level policies necessary to combat such risks, including designing the software with patient care in mind (rather than focusing on billing and other administrative tasks); customizing the software to fit the unique needs of one's organization; and taking the time to implement the EMR in a carefully crafted, staged manner.

The last recommendation seems to be indeed crucial to a successful EMR implementation, but it will likely put many healthcare providers trying to capitalize on HITECH incentive payments in a peculiar situation. Such providers must carefully balance their need to achieve "meaningful use" in a short time frame, while preventing as many disruptions to patient care as possible.

In "Breaking Down the Barriers," Laura Landro examined the state of regional health organizations (RHIOs) and health information exchanges (HIEs). While RHIO/HIE's are still rare, the number of such electronic patient data exchanges grows every day. In fact, according to the Journal, the number of RHIO/HIE's increased by 57% since last year. Such exchanges are also likely to benefit from HITECH Act funding distributed by HHS.

There is an interesting nexus between these two articles: interoperability and exchange. A successful widespread adoption of EMR technology seems to depend upon different EMRs talking to each other, and different - including competing - healthcare providers exchanging patient information. While EMRs may only marginally improve patient care in each individual hospital, they are likely to have a far greater impact as part of a nationwide health information exchange.

"Can Technology Cure Health Care?" Wall Street Journal (April 13, 2010).

"Breaking Down the Barriers," Wall Street Journal (April 13, 2010).

Tags: ARRA, Articles, EMR, HIE, HITECH Act, News, Privacy & Security, RHIO, exchange, health information exchange, interoperability, meaingful use, regional health information organization, risk

CHIME comments on EHR certification NPRM

Posted on April 15, 2010 by Steve Fox and Vadim Schick

In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program. While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market. Via Healthcare IT News:

We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations," CHIME wrote. "The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.

CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.

Tags: ARRA, Articles, CHIME, Certified EHR, EHR, HITECH Act, NPRM, News, ONC, certification, certification process, certified, certified , certifying body, electronic, health, records"

In the news: Senators request easing of meaningful use requirements; HHS releases over $267M for RECs; and more

Posted on April 12, 2010 by Steve Fox and Vadim Schick

A group of 37 U.S. Senators sent a letter to HHS Secretary Kathleen Sebelius expressing concern regarding the current definition of meaningful use. The senators urged the Secretary to "allow providers to 'temporarily defer a limited set of IT goals' without otherwise changing the ultimate timeline or requirements of the program." The senators also sought to change the eligibility determination based on Medicare provider numbers, considering many healthcare providers have multiple medical campuses under one such Medicare number. According to Sen. Max Baucus (D-MT), such changes would "improve the guidelines HHS has set in way that will encourage widespread use of basic, functional IT tools and improve patient care.”

HHS released over $267 million from the stimulus funds to help 28 non-profit Regional Extension Centers (RECs). This latest award brought the total of stimulus-funded RECs to 60, and is expected to support 100,000 primary care and hospitals within 2 years. According to Secretary Sebelius, these 28 awards "represent [HHS's] ongoing commitment to make sure that health providers have the necessary support within their communities to maximize the use of health IT to improve the care they provide to their patients."

Tags: ARRA, Articles, HHS, HITECH Act, Meaningful use, News, ONC, Privacy & Security, REC, Regional Extension center, Sebelius, meaningful use regulations

ONC publishes white paper on consent options

Posted on April 1, 2010 by Vadim Schick

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange. The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making." While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here. You can view the executive summary by clicking here.

Tags: ARRA, Articles, HITECH Act, News, ONC, ONCHIT, Privacy & Security, Privacy and Security, consent, consent options, privacy, security

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

Posted on March 24, 2010 by Steve Fox and Vadim Schick

Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident. This is twice as many cases as in 2008. Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to Computerworld.com (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.

In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act. According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

Tags: ARRA, Articles, CCHIT, CHIME, Certified EHR, HIPAA, HITECH, HITECH Act, News, Privacy & Security, certified, electronic health records, meaingful use, meaningful use regulations, privacy, security

Slides from webinar on negotiating "must-have" provisions in HIT contracts

Posted on March 19, 2010 by Vadim Schick

Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.

This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HIPAA, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security, contracts, license, licensing, meaningful use definition, meaningful use regulations, negotiation, webinar

OCR delays enforcement of certain HITECH provisions

Posted on March 18, 2010 by Steve Fox and Vadim Schick

In a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others. Via OCR press release:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

You can find about more here.

"HITECH Act Rulemaking and Implementation Update," OCR Press Release (March 18, 2010).

Tags: ARRA, Act, Articles, HHS, HITECH, HITECH Act, News, OCR, Office of Civil Rights, Privacy & Security, business associate

Steve Fox Interviewed on Negotiating EHR Agreements

Posted on March 11, 2010 by Vadim Schick

As if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:

Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.

“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.

“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.

Tags: ARRA, Act, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, Steve Fox, agreement, definition, meaingful, meaningful use regulations, use, vendor

Free Webinar: Negotiating "Must-Have" Provisions in HIT Contracts

Posted on March 9, 2010 by Steve Fox and Vadim Schick

On Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HITECH, HITECH Act, Meaningful use, Privacy & Security, contract, law, license, meaningful use definition, meaningful use regulations, negotiation

Breaking: ONC releases NPRM on certification programs

Posted on March 2, 2010 by Steve Fox and Vadim Schick

ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs. Via ONC Press Release:

Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.

Tags: ARRA, Articles, Certified EHR, EHR, HITECH Act, Meaningful use, News, Privacy & Security, meaningful use definition, meaningful use regulations

HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial "harm threshold" to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

Free Webinar on Meaningful Use: Slides included below

Posted on February 24, 2010 by Vadim Schick

Here are the slides from our February 25, 2010 Webinar on Meaningful Use. This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. Steve and I discussed:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, Federal Register meaningful use, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News, Privacy & Security, federal register, incentive payments, meaingful use

OCR may delay enforcement of business associate provisions in the HITECH Act

Posted on February 23, 2010 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information. As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized. OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week. We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

Tags: ARRA, Adam Greene, Articles, Business Associates, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, business associates as covered entities, delay, delayed enforcement, enforcement

Thursday: Free Webinar on "Meaningful Use"

Posted on February 22, 2010 by Vadim Schick

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. We will discuss:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, Medicaid, Medicare, News, Privacy & Security, electronic health records, electronic medical records, free webinar, incentive payments, meaningful use definition, meaningful use regulations, webinar

Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law. She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

Tags: ARRA, Articles, Blumenthal, HIPAA, HITECH, HITECH Act, News, ONC, Pritts, Privacy & Security, chief privacy officer, office of national coordinator, privacy

Study finds big increases in physicans' online communications with patients

Posted on February 16, 2010 by Steve Fox and Vadim Schick

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006. The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain. Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information. Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients. And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Tags: ARRA, Articles, EMR, HITECH Act, News, Physicians, Privacy & Security, health information, messaging, online communication tools, online communications, patient communications, privacy, secure

Obama administration announces $975M in HIT grants

Posted on February 16, 2010 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs). HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

Tags: ARRA, Articles, EHR, EMR, HIE, HITECH, HITECH Act, News, Privacy & Security, Regional Extension center, Sebelius, grant, health information exchange, training

Grassley follows up with letter to 31 hospitals regarding HIT vendor practices

Posted on February 8, 2010 by Steve Fox and Vadim Schick

Following up on his letter to health IT companies last fall, Senator Chuck Grassley (R-IA) sent a letter to 31 hospitals in the United States to inquire about each hospital's experience with purchasing and implementing health information technology. According to Healthcare IT News:

Grassley cites reports he’s heard about “difficulties and challenges associated with HIT implementation,” including “administrative complications,” “formatting and usability issues,” “computer errors stemming from the programs themselves,” and problems with “interoperability between programs.”

More specifically, he raises concerns that “when [providers] report such problems to their facilities and/or the product vendors, their concerns are sometimes ignored or dismissed.” Often, he writes, “this is attributed to alleged ‘gag orders’ or non-disclosure clauses in the HIT contract that prohibit health care providers and their facilities from sharing information outside of their facilities regarding product defects and other HIT product-related concerns."

You can find more about Sen. Grassley's letter to hospitals in his office's press release, which includes the full text of the letter.

Tags: ARRA, Articles, Grassley, HIT, HITECH Act, News, gag orders, health it vendors, vendor practices

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:

Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat: "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months." According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."

Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches." The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

Tags: ARRA, Articles, BCBS, HITECH, HealthNet, News, Privacy & Security, Privacy and Security, breach, credit, data breach, hacking, health information, malware, monitoring, notification, privacy, security

Negotiating vendor-financed EMR transactions

Posted on January 15, 2010 by Vadim Schick

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology. This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use" incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options. A complimentary PDF copy of the article is available here.

Tags: ARRA, Articles, EHR, EMR, GE, HITECH, HITECH Act, Ingenix, JHIM, News, Siemens, agreement, contract, finance, incentive payments, loan, negotiating, negotiation, vendor-financed, zero-interest

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick

According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed. This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.

Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions: "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs." According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

Tags: ARRA, Articles, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, Privacy & Security, breach, de-identification, deidentification, identity theft

Updated: Meaningful Use Definition Released in the Federal Register

Posted on December 30, 2009 by Steve Fox and Vadim Schick

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology. You can find the full text here.*

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs. You can find this interim rule here.*

Tags: ARRA, Articles, CMS meaningful use, Certified EHR, EHR, EMR, Federal Register meaningful use, HITECH Act, Meaningful use, News, Privacy & Security, federal register, incentive payments, meaningful use definition, meaningful use regulations

ALERT: CMS and ONC to Discuss Next Steps in EHR Programs Today

Posted on December 30, 2009 by Steve Fox and Vadim Schick

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.

The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.

Join today’s call; details are listed below:

WHO:
--David Blumenthal, MD, MPP, national coordinator for health information technology
--Jonathan Blum, director, Center for Medicare Management
--Cindy Mann, director, Center for Medicaid and State Operations

WHAT:
Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations

WHEN:
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE:
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at http://bit.ly/5IdkDe . HIMSS will be posting a statement tomorrow.

Tags: ARRA, Articles, Blumenthal, CMS, HITECH Act, Meaningful use, News, Privacy & Security

GE and Siemens provide new financing options for Health IT purchases

Posted on December 29, 2009 by Steve Fox and Vadim Schick

On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...> Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

Tags: 0%, ARRA, Articles, Centricity, EHR, EMR, GE, HITECH, HITECH Act, Meaningful use, News, Siemens, financing, incentive payments, meaningful use definition

CCHIT certifies EHR products for Preliminary ARRA 2011 program

Posted on December 21, 2009 by Steve Fox and Vadim Schick

Via Healthcare IT News:

The Certification Commission for Health Information Technology has certified 14 electronic health record products that pass muster for provider use under the American Recovery and Reinvestment Act of 2009 (ARRA).

"We believe it will be a challenge for providers who have not yet begun to evaluate products to purchase and implement EHR technology and achieve meaningful use in time for the 2011-2012 incentives," said Alisa Ray, the CCHIT's executive director. "We have received more than 30 applications for our 2011 certification programs – more than half of which are for the comprehensive program – and are announcing new certifications regularly so providers can begin to consider EHR technology that demonstrates compliance with the proposed federal standards."

According to Ray, the Preliminary ARRA 2011 program is a modular, limited certification and inspects technology only against the federal standards. It offers flexibility for health IT companies, developers and providers in meeting ARRA 2011-2012 certification requirements.

Tags: ARRA, Articles, CCHIT, Certified EHR, HITECH Act, News, meaingful use

ONC names 17 members of the privacy and security workgroup

Posted on December 11, 2009 by Steve Fox and Vadim Schick

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee. According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns. There is also a privacy and security workgroup under the HIT Standards Committee.

Tags: ARRA, Articles, HIT Policy Committee, HIT Standards Committee, HITECH Act, Meaningful use, News, ONC, ONCHIT, Privacy & Security, Privacy and Security, meaningful use definition, office of national coordinator

In the news: EHR incentives; the rising threat of medical identity theft

Posted on November 30, 2009 by Steve Fox and Vadim Schick

In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way. Otherwise, many providers could fail to qualify for the HITECH Act's incentives. The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.

A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information. According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."

Tags: ARRA, Articles, Blumenthal, HITECH Act, MGMA, News, Privacy & Security, electronic health records, electronic medical records, meaningful, meaningful use definition, use

New York Times: New study shows little improvement for EMR users

Posted on November 17, 2009 by Steve Fox and Vadim Schick

The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.

The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.

In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.

Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.

The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:

'There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.'

"Little Benefit Seen, So Far, in Electronic Patient Records," New York Times (November 16, 2009).

Tags: ARRA, Articles, EHR, EMR, HITECH Act, News, cost reduction, costs, incentive payments, quality of care

Timely advice: Begin preparations for "meaningful use" now

Posted on November 12, 2009 by Steve Fox and Vadim Schick

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act.

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.

Tags: ARRA, Act, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, News, electronic health records, incentive payments, meaningful use definition, vendor

HHS releases interim final regulations on HIPAA enforcement changes

Posted on November 2, 2009 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

Tags: ARRA, Articles, HHS, HIPAA, HITECH Act, News, Privacy & Security, civil money penalty, enforcement

Sen. Grassley voices concerns about HIT vendor practices

Posted on October 27, 2009 by Steve Fox and Vadim Schick

According to the Wall Street Journal's Health Blog:

In letters sent earlier this month to 10 companies, [Senator Chuck] Grassley says that he’s “received complaints” about systems that allow doctors to enter medical orders by computer. (Here’s a copy of the letter.) This is a big deal these days because the stimulus bill provides billions of dollars in federal incentives to encourage doctors and hospitals to start using these sorts of systems.

Grassley asks the companies to send him copies of “complaints and/or concerns” that health-care providers have expressed about the systems. He wants to know whether the companies typically include legal provisions in their contracts that “shift responsibility for errors in the … systems to physicians, nurses, pharmacists, and other health care providers.”

And he cites reports that contracts sometimes “include ‘gag orders,’ which prohibit health care providers from disclosing system flaws and software defects.” He asks the companies how many settlement agreements they’ve executed in the last 18 months.

So far, representatives of Cerner, McKesson and Allscripts indicated that they plan to cooperate with Sen. Grassley's request.

You can find more information on Grassley's letters via the Washington Post, here.

You can see a copy of Grassley's letter to 3M here.

"Chuck Grassley Has a Few Questions for the Health IT Industry," Health Blog (October 26, 2009).

"Electronic medical records not seen as a cure-all," Washington Post (October 25, 2009).

Tags: ARRA, Articles, CPOE, Grassley, HIT, HITECH Act, News

CBS News reports on EHR efforts

Posted on October 21, 2009 by Steve Fox and Vadim Schick

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S.

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

Tags: 2012, 2015, ARRA, Act, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, News, electronic, health, incentive, payments, privacy, records, reimbursements, security

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

Tags: 2012, 2015, ARRA, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, HITECH Act, News, Privacy & Security, electronic health records, incentive payments, privacy, reimbursements, security

In the news: Blumenthal on "meaningful use," new health information management jobs, etc.

Posted on October 12, 2009 by Steve Fox and Vadim Schick

Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide. Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare. AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.

Much more news after the jump.

Tags: ARRA, Articles, Blumenthal, EHR, HIE, HITECH Act, Meaningful use, News, Privacy & Security, e-payment, e-prescribing, health information exchange, meaningful use definition

A note of caution about vendor guarantees on "meaningful use"

Posted on October 5, 2009 by Steve Fox and Vadim Schick

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS. In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year. There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license. "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential. Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, Privacy & Security, guarantee, incentive payments, meaingful use, warranties, warranty

PWC Survey Findings May Support North Shore's EMR Gamble

Posted on October 5, 2009 by Steve Fox and Vadim Schick

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records. Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA.

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals." However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data.

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes. A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning. The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data. Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, North Shore, PWC, electronic health records, secondary data, secondary use

Sebelius announces $28M in grants for EHR implementation

Posted on September 30, 2009 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius announced almost $28 million in grants for more than twenty health centers to implement or improve their electronic health records technology. This funding is allotted from the $2 billion set aside for Health Resources and Services Administration (HRSA) health centers in the ARRA. HRSA health centers provide medical services for the uninsured and low-income individuals.

According to the HHS press release:

Eighteen grants totaling more than $22.6 million will support EHR implementation. Grants totaling more than $2.6 million will help four grantees implement a variety of HIT innovations, including the creation of health information exchanges among different providers and the incorporation of HIT at dental delivery sites. Another five grants totaling over $2.5 million will help health centers devise plans to use existing EHRs to improve patient health outcomes.

HRSA received $2 billion through the Recovery Act to expand health care services to low-income and uninsured individuals through its health center program. To date, more than $1.3 billion of these funds have been awarded to community-based organizations across the country. HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance.

You can find the full list of recipients here.

"Secretary Sebelius Releases $27.8 Million in Recovery Act Funds to Expand the Use of Health Information Technology," HHS Press Release (September 29, 2009).

"HHS releases $28M in ARRA funding to accelerate health IT," Healthcare IT News (September 30, 2009).

Tags: ARRA, ARRA grant, Articles, EHR grant, HHS EHR grant, HITECH Act, HRSA, News, grant

Health IT Market Heats Up

Posted on September 30, 2009 by Steve Fox and Vadim Schick

The last few weeks saw a tremendous amount of activity in the health IT market. Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States.

Dell is quickly establishing itself as a major player in health IT. In April 2009, Dell aligned itself with Wal-Mart and eClinical Works to supply hardware for Wal-Mart's new EHR system. Last month, Dell rolled out its own EHR system aimed at physicians affiliated with hospital practices, with Tufts Medical Center and Memorial Hermann Health Care System among the early adopters.

Even more significantly, on September 21, 2009, Dell announced its plans to acquire the health IT vendor Perot Systems Corp. for $3.9 billion. Perot is a major player in the healthcare industry: about half of Perot's $2.8 billion in annual revenue comes from the healthcare market; and as much as half of the hospitals that outsource their IT are Perot clients. Perot runs over 3,000 healthcare applications for its clients, though the company does not have a preferred provider arrangement with a specific application vendor.

Tags: ACS, ARRA, Affiliated, Articles, Dell, EHR, EHR technology, EMR, EMR technology, HIT, HITECH Act, News, Perot, Systems, Xerox, acquisition, electronic health records, electronic medical records, health IT, merger

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act. Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology." Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.” The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

Tags: ARRA, Articles, HIPAA, HIT, HIT Standards Committee, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, incentive, incentive payments, privacy, security

CCHIT to launch Preliminary ARRA Certification program next month

Posted on September 15, 2009 by Steve Fox and Vadim Schick

While the ONCHIT Advisory Committees continue to work on defining "meaningful use," the Certification Commission for Health Information Technology (CCHIT) plans to launch a new certification program for electronic health records systems based on the new requirements for such systems to qualify for incentive payments under the American Recovery and Reinvestment Act of 2009 (ARRA).

On October 7, 2009, CCHIT will "offer a modular certification program called Preliminary ARRA 2011 that is limited to the standards for qualifying EHR technology under the American Recovery and Reinvestment Act (ARRA)."

Regional Extension Program: Important Updates and Links from HHS

Posted on September 3, 2009 by Steve Fox and Vadim Schick

Via HHS e-mail update:

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the availability of materials that are of immediate interest and use to stakeholders and potential applicants for the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, and that are new or updated since the August 27, 2009 technical assistance telephone and web conference.

REVISED – Preliminary Application Template (Attachment I to the Funding Opportunity Announcement): As discussed on the August 27th technical assistance public conference, the suggested template for applicants’ use in compiling and presenting the information required for the Preliminary Application has been updated to include the complete requirements established in the funding opportunity announcement and is now available from www.grants.gov and the Extension Program section of ONC’s website at http://healthit.hhs.gov/extensionprogram.

NEW – A complete transcript of the August 27th technical assistance conference is available for download from the Extension Program section of ONC’s website. Please visit http://healthit.hhs.gov/extensionprogram to access detailed information about the conference, including the transcript and the presentation slides used during the call.

NEW/REVISED – Program-specific Frequently Asked Questions (FAQs) are now available on the Extension Program section of ONC’s website. New FAQs are posted frequently, so potential applicants and other interested parties are encouraged to visit often. Please visit http://healthit.hhs.gov/extensionprogram then scroll down and click on “Frequently Asked Questions”.

On the HIT Extension Program site, you can find the Funding Opportunity Announcement / Application Instructions document, as well as a large FAQ section and the "Facts-At-A-Glance" summary.

You can find the August 27th, 2009 presentation (PPT) here, and the transcript of that same presentation here.

"Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program Update," HHS e-mail update (September 3, 2009).

Tags: ARRA, ARRA funding, ARRA grant application, ARRA grants, HHS, HITECH Act, Meaningful use, News, ONC, Privacy & Security, Regional Extension Program, Regional Extension center, Regional Extension center grant, Regional Extension centers, extension program application, funding opportunity, grant, office of national coordinator, regional extension center grant application

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, Privacy & Security, Recovery Act, breach, breach notification, breach notification requirements, privacy

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Posted on August 18, 2009 by Steve Fox and Vadim Schick

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Tags: ARRA, Articles, CCHIT, Certified EHR, EHR, HHS, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: ARRA, Articles, FTC, HITECH Act, News, PHR, Privacy & Security, breach, breach notification, breach notification requirements, electronic, health, information, notification, personal, privacy, record, security

Maryland awards $10M for CRISP, a health IT exchange

Posted on August 13, 2009 by Steve Fox and Vadim Schick

The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization. Some of the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP.

According to the Baltimore Business Journal:

Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.

The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.

State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.

"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).

Tags: ARRA, CRISP, HIE, HIT, HITECH, HITECH Act, Johns Hopkins, MedStar, News, RHIO, Stimulus, exchange, health information exchange

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes. While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law. <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

Tags: ARRA, EHR, EHRs, Google, GoogleHealth, HIPAA, HITECH, HITECH Act, News, PHR, PHRs, Privacy & Security, privacy

Sebelius shifts responsibility for HIPAA Security Rule enforcement to OCR

Posted on August 4, 2009 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS. Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule. Effective immediately, OCR is responsible for administering both Security Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected." This transfer of authority is not meant to create any disruption of current procedures. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights.

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

Tags: ARRA, CMS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, Sebelius, delegate

Study finds dramatic increase in operational HIEs

Posted on July 22, 2009 by Steve Fox and Vadim Schick

eHealth Initiative, an affiliation of organizations devoted to improving the quality, safety and efficiency of healthcare through information technology, released its 2009 survey on Health Information Exchange (HIE), titled "Migrating Toward Meaningful Use: The State of Health Information Exchange."

The survey found many positive trends in the expansion of HIE's in the United States, including:

the number of operational HIE initiatives (e.g., exchanges transmitting live data among stakeholders) has increased by nearly 40% since 2008;
positive impact on physician practices by improving efficiency without disrupting care (e.g., quicker access to test results, reduced staff time spent searching for results and performing other administrative functions);
reduction in costs associated with, inter alia, reduced staff time spent on searching for test results and performing other clerical functions, as well as reduction in duplicate tests and medical errors; and
steadily growing number of initiatives are exchanging data, with almost universal increases in the type of data exchanged.

The survey also found that "initiatives identified 'addressing privacy and confidentiality issues' as the most pressing challenge they face, surpassing 'developing a sustainable business model'."

eHealth Initiative's press release, which includes a more detailed summary of the survey, can be found here.

"Migrating Toward Meaningful Use: The State of Health Information Exchange," eHealth Initiative Study (July 22, 2009).

Tags: ARRA, Articles, HIE, HIE initiative, News, Privacy & Security, ROI, costs, eHealth Initiative, health information exchange, initiative, reducing cost

HIT Policy Committee Reveals "Meaningful Use" Proposal

Posted on July 16, 2009 by Steve Fox and Vadim Schick

Via Healthcare-Informatics:

By 2011, at least 10 percent of all orders processed in a hospital must be entered through CPOE to qualify that institution for CMS incentives under the HITECH Act, according to a proposed matrix of meaningful use released today by ONC’s HIT Policy Committee.

Other 2011 hospital requirement are:

implementation of drug-drug, drug-allergy, and drug-formulary checks

maintenance of up-to-date problem lists of current and active diagnoses based on ICD-9 or SNOMED

incorporation of lab-test results into EHR as structured data

reporting of hospital quality measures to CMS

implementation of one clinical decision rule related to a high-priority hospital condition

providing of patients with an e-copy of their health information

capability to exchange key clinical information (eg. discharge summary, procedures, problem lists, medication lists, allergies, test results) among providers of care

In another major development, the committee recommended that incentives be paid according to an ‘adoption year’ timeframe rather than a calendar year timeframe. “Under this scenario, qualifying for the first-year incentive payment would be assessed using the 2011 Measures. The payment rate and phaseout of payments would follow the calendar dates in the statute, but qualifying for incentives would use the ‘adoption-year’ approach,” the committee stated.

Here is the link to the matrix.

Stay tuned for more on meaningful use definition.

Tags: ARRA, Articles, HIT, HIT Policy Committee, HITECH Act, Meaningful use, News, ONC, ONCHIT, meaningful use definition

HIT Policy Committee workgroup presents preliminary definition for Meaningful Use

Posted on June 16, 2009 by Steve Fox and Vadim Schick

On June 16, 2009, the Workgroup on Meaningful Use presented its findings to the HIT Policy Committee. The findings include two parts: the preamble and the matrix. The matrix consists of goals to be achieved by 2011, 2013, and 2015, and the metrics for such goals to evaluate hospital and clinician progress in meeting them.

We will have much more analysis on this preliminary definition later, so stay tuned for our updates. Meanwhile, our favorite "geek doctor" John Halamka stated the following on his blog:

Now that the initial definition of meaningful use is available, the HIT Standards Committee workgroups and HITSP will work through the month of July to ensure the matrix is populated with the most up to date standards and implementation guide detail.

Hospitals and Clinician offices now know what is expected for 2011, so the time is now to begin your software implementations.

"Meaningful Use has Arrived", Life as a Healthcare CIO (June 16, 2009).

Tags: ARRA, Articles, Blumenthal, HIT Policy Committee, HITECH Act, Meaningful use, News, ONC, ONCHIT, meaningful, use

EHR Market to reach $1.6BN in 2013

Posted on June 4, 2009 by Steve Fox and Vadim Schick

Healthcare IT News reports that a new study projects that the market for electronic health records related equipment and software will reach $1.6 billion in 2013, which is almost three times more than last year's value. EHR market was estimated at $575 million in 2008. ARRA is, of course, the main reason for such a steady rise in market value:

Driven by the growing use of EMRs in hospitals and physician offices, this segment of the patient monitoring market will grow 23.3 percent annually through 2013, notes the report, "High-Tech Patient Monitoring Systems Markets (Remote and Wireless Systems, Data Processing, EMR Data Transfer)."

Increased use of EMRs and high-tech patient monitoring systems is a key piece of President Barack Obama's plan to fix the ailing healthcare system, the report notes, because they have the potential to improve patient outcomes and satisfaction, provide cost savings and more efficient use of healthcare resources and reduce hospitalizations.

Full article here.

"Market for EMRs pegged at $1.6 billion by 2013", Healthcare IT News (June 4, 2009).

Tags: ARRA, Act, Articles, HITECH, HITECH Act, News

NCVHS issues summary of its hearing on "meaningful use"

Posted on May 28, 2009 by Steve Fox and Vadim Schick

The National Committee on Vital and Health Statistics (NCVHS) held a public meeting on April 28-29, 2009 in Washington, DC to help define and clarify the term “meaningful use” with respect to such term's use under the HITECH Act.

NCVHS provided a summary report of "the themes elaborated upon by the over 100 stakeholders who provided oral and written testimony" during the hearing. The report is merely a digest of testimony, and does not include commentary or recommendations from NCVHS.

You can find the full report here.

Tags: ARRA, Act, Articles, HITECH, HITECH Act, meaningful, use

HHS releases Recovery Act Implementation Plans

Posted on May 20, 2009 by Steve Fox and Vadim Schick

On May 15, 2009, the U.S. Department of Health and Human Services (HHS) released Recovery Act implementation plans:

HHS is moving quickly and carefully to award Recovery Act funds in an open and transparent manner that will achieve the objectives of each ARRA program. Implementation plans provide detailed information regarding the goals, funding, contracts competition, contract type, and accountability mechanisms.

HHS and the Office of National Coordinator for Health IT (ONC) released two such implementation plans aimed specifically at accelerating the adoption of health information technology pursuant to the HITECH Act: the Recovery Act Implementation Plan for Medicare and Medicaid incentives, and the accompanying Implementation Plan from the ONC.

Tags: ARRA, Articles, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News

Washington Post examines HIMSS role in securing HIT stimulus funding

Posted on May 18, 2009 by Steve Fox and Vadim Schick

The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort. According to the Post:

[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.

You can read the whole article here.

Tags: ARRA, Act, Articles, EHR, HIMSS, HITECH, HITECH Act, News

Steve Fox featured in For the Record's May 2009 Cover Story

Posted on May 14, 2009 by Vadim Schick

Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly magazine for health information management professionals, regarding the incentives and challenges of EHR adoption. On incentives included in the HITECH Act, Steve argued that:

“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”

Steve also identified interoperability as a crucial goal for EHR systems:

“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”

You can read the full article here.

Tags: ARRA, Articles, EHR, HITECH, HITECH Act, News

In the news: Personal Health Records edition

Posted on April 28, 2009 by Steve Fox and Vadim Schick

The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009. According to the FTC press release, aside from breach notification, the proposed rule also:

stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The full notice can be found here.

Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009. The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors. Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR. It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA. ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)

Tags: ARRA, Articles, Clinic, Google, HealthVault, Mayo, Microsoft, News, PHR, Personal health records, Privacy & Security, health

Steve Fox on the new PHR privacy rules

Posted on April 27, 2009 by Vadim Schick

Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)

Tags: ARRA, Articles, FTC, Google, HealthVault, Microsoft, News, PHR, Privacy & Security, health

Steve Fox on the ARRA privacy requirements

Posted on April 22, 2009 by Vadim Schick

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009:

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA. Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.

Tags: ARRA, Articles, HIPAA, News, privacy, security

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: ARRA, Act, Articles, HIPAA, HITECH, News, Privacy & Security, breach, notification

Steve Fox interviewed by iHealthBeat at HIMSS

Posted on April 15, 2009 by Vadim Schick

Our own Steve Fox and HIMSS President H. Stephen Lieber were interviewed by Deirdre Kennedy of iHealthBeat, a daily news service from the California Healthcare Foundation, in an iHealthBeat Special Report about ARRA's impact on the healthcare industry and other hot topics discussed at this year's HIMSS conference in Chicago. You can listen to this audio report here.

Tags: ARRA, Articles, HITECH Act

Free Webinar on Data Privacy: April 7, 2009 at 10AM ET

Posted on April 3, 2009 by Steven J. Fox

Post & Schell is presenting a webinar featuring Vadim Schick and Peter Hardy, who will discuss the practical and legal issues created by the new and upcoming changes in the data privacy protection regime. Topics will include:

The Identity Theft Prevention Programs required by the Red Flags Rule
New data breach requirements imposed by HIPAA
Pending federal data privacy legislation that mirrors existing state laws
What steps to take now to be prepared
Why preparing now will save you money and grief later

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the GoToWebinar presentation: register now. After registering, you will receive log-in information for the April 7th webinar by e-mail.

Also, some of the issues discussed above, including compliance with the Red Flag Rules and HIPAA Privacy and Security Rules, are discussed in a new article by Peter and Vadim, "Preventing Data Breaches: HIPAA Compliance and the Red Flag Rules," published in the April 2009 edition of Compliance Today, and accessible via this link.

Tags: ARRA, Articles, HITECH Act, News, Privacy & Security

Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Posted on April 1, 2009 by Steve Fox and Vadim Schick

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors.

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

Tags: ARRA, Articles, Privacy & Security, data-sharing, information, privacy, secure, security, unsecured

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Posted on March 31, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

Tags: ARRA, Act, Articles, EHR, HIPAA, HITECH, HITECH Act, News, PHR, Privacy & Security, meaningful, use

Debate on EHR Savings Rages at Harvard

Posted on March 24, 2009 by Steve Fox and Vadim Schick

A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology. In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually. Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."

However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology. In part, Drs. Halamka, Bates and Middleton claim that:

The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.

Tags: ARRA, Articles, EHR, HIT, HITECH, Incentives, News, savings

Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act

Posted on March 20, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

In Part I and Part II of the interview, Steve and Ed discuss the incentives for hospitals and physician practices included in the HITECH Act; new regulations to be promulgated by HHS Secretary under this Act; and what actions hospitals and physician practices should be considering at this time in order to qualify for the incentive payments under the Act.

Part III is coming soon, and we will update this entry when it is published on Healthcare-Informatics.com.

Tags: ARRA, HITECH, HITECH Act, Incentives, News

In the news

Posted on March 16, 2009 by Steve Fox and Vadim Schick

Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal. IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records. AP, San Francisco Chronicle (March 17, 2009).
A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing). This could result in a massive $22 billion reduction in drug and medical costs. Government Health IT (March 17, 2009).
Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry. Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services. According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology. Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

Tags: ARRA, EHR, Higher Ed, IBM, Kaiser, News, Privacy & Security, Wal-Mart, academia, breach, data, e-prescribing, universities

HITECH Act Will Benefit Higher-Ed Institutions

Posted on March 12, 2009 by Steve Fox and Vadim Schick

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
a graduate school of nursing or physician assistant studies;
a consortium of two or more schools described above; or
an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

Tags: ARRA, Ed, HITECH, HITECH Act, Higher, Higher Ed, Incentives

HITECH Act Will Benefit Physician Practices

Posted on March 6, 2009 by Steve Fox and Vadim Schick

Physician practices are eligible to receive up to $44,000 per physician for meaningful use of certified EHR technology (as described here*):

Up to $18,000 for the first year (dropping to $15,000 if first year is not 2011 or 2012); $12,000 for the second year; $ $8,000 in year 3, $4,000 in year 4 and $2,000 in year 5. (See table after the jump.)
There will be no incentive payments for practices establishing their meaningful EHR use after 2014 (e.g., beginning 2015).
Meaningful EHR use by physicians will be further defined by regulations, but at a minimum, includes the use of e-prescribing and participation in “the electronic exchange of health information to improve the quality of health care, such as promoting care coordination,” i.e., HIEs or RHIOs.
For the electronic exchange of health information to improve the quality of health care, such as promoting care coordination.
There is a 10% premium for physicians with practices in under-serviced areas.
However, if a physician practice does not achieve meaningful EHR status by 2015, Medicare reimbursement fees will be reduced by 1% in 2015, 2% in 2016, 3% in 2017 and beyond; and the Secretary will have the right to reduce fees by 5% starting in 2018 for those practices where meaningful EHR use is under 75%.

Tags: ARRA, HITECH, HITECH Act, Incentives, Physicians

UPDATED: HITECH Act will Benefit Hospitals

Posted on March 5, 2009 by Steve Fox and Vadim Schick

Each eligible hospital (a “subsection (d) hospital,” as defined under 42 U.S.C. §1395ww(d)(1)(B)) which does not include psychiatric hospitals, rehabilitation hospitals, children’s hospitals or long term care hospitals) that achieves "meaningful" EHR use may qualify to receive from Medicare an amount equal to the product of the following formula:

Initial Amount
($2 million plus additional amounts calculated in accordance with each hospital’s Medicare discharges)

X

Medicare Share
(roughly, a hospital’s share of Medicare discharges over total discharges)

X

Transition Factor:

Year 1 – 100%
Year 2 – 75%
Year 3 – 50%
Year 4 – 25%
Year 5 – 0%

“Meaningful users” are hospitals or physician practices able to demonstrate that one’s EHR technology is connected in a way that improves the quality of health care through reported results on clinical quality and other measures selected by the Secretary. Meaningful EHR use includes quality reporting and may be demonstrated by attestation, survey response, appropriate claims or quality reporting, or such other manner as the Secretary specifies. Of course, the question remains as to how HHS will define “meaningful” use, and we will just have to wait until the end of this year to find out. The concern is that if HHS raises the bar too high, it will exclude hospitals who will be unable to achieve it within a reasonable time.

“Certified EHR technology” will be technology that is certified by an independent body recognized by the Secretary as meeting standards for such technology established by the Secretary by rulemaking before Dec. 31, 2009.

Tags: ARRA, HITECH, HITECH Act, Hospitals, Incentives

Congress Offers Incentives to Implement EHR

Posted on March 5, 2009 by Steve Fox and Vadim Schick

In the economic stimulus legislation recently signed by President Obama (the American Recovery and Reinvestment Act of 2009), the U.S. Congress has provided the health care industry with more than $17 billion in incentives to acquire and implement electronic health record (EHR) technology and the associated infrastructure.

The HITECH Act (“Act”) portion of the stimulus includes major incentives for, among others:

Hospital systems;
Individual physician practices (not affiliated with hospitals);
Universities and institutions of higher learning;
Health Information Exchanges (HIEs); and
States and certain state-designated entities.

In addition to the incentives, the Department of Health and Human Services (HHS) will have broad discretion in determining the amounts of grants, loans or subsidies extended to potential beneficiaries. HHS will also propose a set of procedures for claiming or applying for such assistance, to be published in the Federal Register for comment.

Tags: ARRA, HITECH Act, Hospitals, Incentives, Stimulus