Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

On Thursday, March 18, 2010 from 1:00PM to 2:00PM (EST), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry. 

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

• Warranty, limitation of liability and privacy and security provisions in HIT contracts
• Structuring payments to correspond with certain achievement milestones
• Acceptance testing procedures
• Provisions specific to vendor-financing transactions
• ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs.  Via ONC Press Release:

Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Here are the slides from  our February 25, 2010 Webinar on Meaningful Use.  This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  Steve and I discussed:

• Key policy goals and objectives behind meaningful use

• Measures required to achieve meaningful use

• Structure of incentive payments under Medicare and Medicaid

• Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information.  As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized.  OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week.  We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  We will discuss:

• Key policy goals and objectives behind meaningful use

• Measures required to achieve meaningful use

• Structure of incentive payments under Medicare and Medicaid

• Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006.  The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain.  Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information.  Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients.  And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs).  HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Following up on his letter to health IT companies last fall, Senator Chuck Grassley (R-IA) sent a letter to 31 hospitals in the United States to inquire about each hospital's experience with purchasing and implementing health information technology.  According to Healthcare IT News:

Grassley cites reports he’s heard about “difficulties and challenges associated with HIT implementation,” including “administrative complications,” “formatting and usability issues,” “computer errors stemming from the programs themselves,” and problems with “interoperability between programs.”

More specifically, he raises concerns that “when [providers] report such problems to their facilities and/or the product vendors, their concerns are sometimes ignored or dismissed.” Often, he writes, “this is attributed to alleged ‘gag orders’ or non-disclosure clauses in the HIT contract that prohibit health care providers and their facilities from sharing information outside of their facilities regarding product defects and other HIT product-related concerns."

You can find more about Sen. Grassley's letter to hospitals in his office's press release, which includes the full text of the letter.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

• Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."

• Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology.   This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use"  incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options.  A complimentary PDF copy of the article is available here.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.  This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.

• Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions:  "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs."  According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology.  You can find the full text here.*

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.  You can find this interim rule here.*

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.

The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.

Join today’s call; details are listed below:

WHO:
--David Blumenthal, MD, MPP, national coordinator for health information technology
--Jonathan Blum, director, Center for Medicare Management
--Cindy Mann, director, Center for Medicaid and State Operations

WHAT:
Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations

WHEN:
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE:
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at http://bit.ly/5IdkDe . HIMSS will be posting a statement tomorrow.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...>  Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Via Healthcare IT News:

The Certification Commission for Health Information Technology has certified 14 electronic health record products that pass muster for provider use under the American Recovery and Reinvestment Act of 2009 (ARRA).

"We believe it will be a challenge for providers who have not yet begun to evaluate products to purchase and implement EHR technology and achieve meaningful use in time for the 2011-2012 incentives," said Alisa Ray, the CCHIT's executive director. "We have received more than 30 applications for our 2011 certification programs – more than half of which are for the comprehensive program – and are announcing new certifications regularly so providers can begin to consider EHR technology that demonstrates compliance with the proposed federal standards."

According to Ray, the Preliminary ARRA 2011 program is a modular, limited certification and inspects technology only against the federal standards. It offers flexibility for health IT companies, developers and providers in meeting ARRA 2011-2012 certification requirements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee.  According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns.  There is also a privacy and security workgroup under the HIT Standards Committee.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way.  Otherwise, many providers could fail to qualify for the HITECH Act's incentives.  The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.

• A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information.  According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.

The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.

In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.

Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.

The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:

'There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.'

"Little Benefit Seen, So Far, in Electronic Patient Records," New York Times (November 16, 2009).

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act. 

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA.  As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to the Wall Street Journal's Health Blog:

In letters sent earlier this month to 10 companies, [Senator Chuck] Grassley says that he’s “received complaints” about systems that allow doctors to enter medical orders by computer. (Here’s a copy of the letter.) This is a big deal these days because the stimulus bill provides billions of dollars in federal incentives to encourage doctors and hospitals to start using these sorts of systems.

Grassley asks the companies to send him copies of “complaints and/or concerns” that health-care providers have expressed about the systems. He wants to know whether the companies typically include legal provisions in their contracts that “shift responsibility for errors in the … systems to physicians, nurses, pharmacists, and other health care providers.”

And he cites reports that contracts sometimes “include ‘gag orders,’ which prohibit health care providers from disclosing system flaws and software defects.” He asks the companies how many settlement agreements they’ve executed in the last 18 months.

So far, representatives of Cerner, McKesson and Allscripts indicated that they plan to cooperate with Sen. Grassley's request. 

You can find more information on Grassley's letters via the Washington Post, here.

You can see a copy of Grassley's letter to 3M here.

"Chuck Grassley Has a Few Questions for the Health IT Industry," Health Blog (October 26, 2009).

"Electronic medical records not seen as a cure-all," Washington Post (October 25, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide.  Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare.  AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.

Much more news after the jump.
  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS.  In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year.  There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license.  "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential.  Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records.  Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA. 

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals."  However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data. 

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes.  A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning.  The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data.  Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

HHS Secretary Kathleen Sebelius announced almost $28 million in grants for more than twenty health centers to implement or improve their electronic health records technology.  This funding is allotted from the $2 billion set aside for Health Resources and Services Administration (HRSA) health centers in the ARRA.  HRSA health centers provide medical services for the uninsured and low-income individuals.

According to the HHS press release:

Eighteen grants totaling more than $22.6 million will support EHR implementation. Grants totaling more than $2.6 million will help four grantees implement a variety of HIT innovations, including the creation of health information exchanges among different providers and the incorporation of HIT at dental delivery sites. Another five grants totaling over $2.5 million will help health centers devise plans to use existing EHRs to improve patient health outcomes.

HRSA received $2 billion through the Recovery Act to expand health care services to low-income and uninsured individuals through its health center program. To date, more than $1.3 billion of these funds have been awarded to community-based organizations across the country. HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance.

You can find the full list of recipients here.

"Secretary Sebelius Releases $27.8 Million in Recovery Act Funds to Expand the Use of Health Information Technology," HHS Press Release (September 29, 2009).

"HHS releases $28M in ARRA funding to accelerate health IT," Healthcare IT News (September 30, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The last few weeks saw a tremendous amount of activity in the health IT market.  Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States.

Dell is quickly establishing itself as a major player in health IT.  In April 2009, Dell aligned itself with Wal-Mart and eClinical Works to supply hardware for Wal-Mart's new EHR system.  Last month, Dell rolled out its own EHR system aimed at physicians affiliated with hospital practices, with Tufts Medical Center and Memorial Hermann Health Care System among the early adopters. 

Even more significantly, on September 21, 2009, Dell announced its plans to acquire the health IT vendor Perot Systems Corp. for $3.9 billion.  Perot is a major player in the healthcare industry:  about half of Perot's $2.8 billion in annual revenue comes from the healthcare market; and as much as half of the hospitals that outsource their IT are Perot clients.   Perot runs over 3,000 healthcare applications for its clients, though the company does not have a preferred provider arrangement with a specific application vendor.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the ONCHIT Advisory Committees continue to work on defining "meaningful use," the Certification Commission for Health Information Technology (CCHIT) plans to launch a new certification program for electronic health records systems based on the new requirements for such systems to qualify for incentive payments under the American Recovery and Reinvestment Act of 2009 (ARRA).  

On October 7, 2009, CCHIT will "offer a modular certification program called Preliminary ARRA 2011 that is limited to the standards for qualifying EHR technology under the American Recovery and Reinvestment Act (ARRA)."

More from the CCHIT press release:

The Commission has followed and analyzed the emerging recommendations of the health information technology advisory committees to the Office of the National Coordinator (ONC), and believes there is sufficient information to offer the preliminary ARRA certification now.

HHS criteria and standards are expected to be published by the end of 2009. Final rules on Meaningful Use are expected later in the Spring of 2010. If that process results in the introduction of new requirements, the Commission will offer vendors with preliminary certifications an incremental inspection at no additional fee to bring their certifications into alignment with the final rules. The Commission’s certification materials including criteria, test scripts and certification policies for both programs will be published at http://cchit.org on September 24. Applications for certification will open online on October 7.

"Certification Commission Launching 2011 Certification Programs In October," CCHIT press release (September 8, 2009).

"Federal committees to continue work on meaningful use," Healthcare IT News (September 11, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Via HHS e-mail update:

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the availability of materials that are of immediate interest and use to stakeholders and potential applicants for the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, and that are new or updated since the August 27, 2009 technical assistance telephone and web conference.

REVISED – Preliminary Application Template (Attachment I to the Funding Opportunity Announcement):  As discussed on the August 27th technical assistance public conference, the suggested template for applicants’ use in compiling and presenting the information required for the Preliminary Application has been updated to include the complete requirements established in the funding opportunity announcement and is now available from www.grants.gov and the Extension Program section of ONC’s website at http://healthit.hhs.gov/extensionprogram.

NEW – A complete transcript of the August 27th technical assistance conference is available for download from the Extension Program section of ONC’s website.  Please visit http://healthit.hhs.gov/extensionprogram to access detailed information about the conference, including the transcript and the presentation slides used during the call.

NEW/REVISED – Program-specific Frequently Asked Questions (FAQs) are now available on the Extension Program section of ONC’s website.  New FAQs are posted frequently, so potential applicants and other interested parties are encouraged to visit often.  Please visit http://healthit.hhs.gov/extensionprogram then scroll down and click on “Frequently Asked Questions”.

On the HIT Extension Program site, you can find the Funding Opportunity Announcement / Application Instructions document,  as well as a large FAQ section and the "Facts-At-A-Glance" summary. 

You can find the August 27th, 2009 presentation (PPT) here, and the transcript of that same presentation here.

"Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program Update," HHS e-mail update (September 3, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization.  Some of  the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP. 

According to the Baltimore Business Journal:

Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.

The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.

State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.

"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS.  Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule.  Effective immediately, OCR is responsible for administering both Security  Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected."  This transfer of authority is not meant to create any disruption of current procedures.  Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights. 

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

eHealth Initiative, an affiliation of organizations devoted to improving the quality, safety and efficiency of healthcare through information technology, released its 2009 survey on Health Information Exchange (HIE), titled "Migrating Toward Meaningful Use: The State of Health Information Exchange."

The survey found many positive trends in the expansion of HIE's in the United States, including:

• the number of operational HIE initiatives (e.g., exchanges transmitting live data among stakeholders) has increased by nearly 40% since 2008;
• positive impact on physician practices by improving efficiency without disrupting care (e.g., quicker access to test results, reduced staff time spent searching for results and performing other administrative functions);
• reduction in costs associated with, inter alia, reduced staff time spent on searching for test results and performing other clerical functions, as well as reduction in duplicate tests and medical errors; and
• steadily growing number of initiatives are exchanging data, with almost universal increases in the type of data exchanged.

The survey also found that "initiatives identified 'addressing privacy and confidentiality issues' as the most pressing challenge they face, surpassing 'developing a sustainable business model'."

eHealth Initiative's press release, which includes a more detailed summary of the survey, can be found here.

"Migrating Toward Meaningful Use: The State of Health Information Exchange," eHealth Initiative Study (July 22, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Via Healthcare-Informatics:

By 2011, at least 10 percent of all orders processed in a hospital must be entered through CPOE to qualify that institution for CMS incentives under the HITECH Act, according to a proposed matrix of meaningful use released today by ONC’s HIT Policy Committee.

Other 2011 hospital requirement are:

• implementation of drug-drug, drug-allergy, and drug-formulary checks
• maintenance of up-to-date problem lists of current and active diagnoses based on ICD-9 or SNOMED
• incorporation of lab-test results into EHR as structured data
• reporting of hospital quality measures to CMS
• implementation of one clinical decision rule related to a high-priority hospital condition
• providing of patients with an e-copy of their health information
• capability to exchange key clinical information (eg. discharge summary, procedures, problem lists, medication lists, allergies, test results) among providers of care

In another major development, the committee recommended that incentives be paid according to an ‘adoption year’ timeframe rather than a calendar year timeframe. “Under this scenario, qualifying for the first-year incentive payment would be assessed using the 2011 Measures. The payment rate and phaseout of payments would follow the calendar dates in the statute, but qualifying for incentives would use the ‘adoption-year’ approach,” the committee stated.

Here is the link to the matrix.

Stay tuned for more on meaningful use definition.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 16, 2009, the Workgroup on Meaningful Use presented its findings to the HIT Policy Committee.  The findings include two parts:  the preamble and the matrix.   The matrix consists of goals to be achieved by 2011, 2013, and 2015, and the metrics for such goals to evaluate hospital and clinician progress in meeting them.

We will have much more analysis on this preliminary definition later, so stay tuned for our updates.  Meanwhile, our favorite "geek doctor" John Halamka stated the following on his blog:

Now that the initial definition of meaningful use is available, the HIT Standards Committee workgroups and HITSP will work through the month of July to ensure the matrix is populated with the most up to date standards and implementation guide detail.

Hospitals and Clinician offices now know what is expected for 2011, so the time is now to begin your software implementations.

"Meaningful Use has Arrived", Life as a Healthcare CIO (June 16, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Healthcare IT News reports that a new study projects that the market for electronic health records related equipment and software will reach $1.6 billion in 2013, which is almost three times more than last year's value.  EHR market was estimated at $575 million in 2008.  ARRA is, of course, the main reason for such a steady rise in market value:

Driven by the growing use of EMRs in hospitals and physician offices, this segment of the patient monitoring market will grow 23.3 percent annually through 2013, notes the report, "High-Tech Patient Monitoring Systems Markets (Remote and Wireless Systems, Data Processing, EMR Data Transfer)."

Increased use of EMRs and high-tech patient monitoring systems is a key piece of President Barack Obama's plan to fix the ailing healthcare system, the report notes, because they have the potential to improve patient outcomes and satisfaction, provide cost savings and more efficient use of healthcare resources and reduce hospitalizations.

Full article here.

"Market for EMRs pegged at $1.6 billion by 2013", Healthcare IT News (June 4, 2009).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The National Committee on Vital and Health Statistics (NCVHS) held a public meeting on April 28-29, 2009 in Washington, DC to help define and clarify the term “meaningful use” with respect to such term's use under the HITECH Act.  

NCVHS provided a summary report of  "the themes elaborated upon by the over 100 stakeholders who provided oral and written testimony" during the hearing.  The report is merely a digest of testimony, and does not include commentary or recommendations from NCVHS.

You can find the full report here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 15, 2009, the U.S. Department of Health and Human Services (HHS) released Recovery Act implementation plans:

HHS is moving quickly and carefully to award Recovery Act funds in an open and transparent manner that will achieve the objectives of each ARRA program. Implementation plans provide detailed information regarding the goals, funding, contracts competition, contract type, and accountability mechanisms.

HHS and the Office of National Coordinator for Health IT (ONC) released two such implementation plans aimed specifically at accelerating the adoption of health information technology pursuant to the HITECH Act:  the Recovery Act Implementation Plan for Medicare and Medicaid incentives, and the accompanying Implementation Plan from the ONC.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill.  Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort.  According to the Post:

[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.

You can read the whole article here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly  magazine for health information management professionals, regarding the incentives and challenges of EHR adoption.  On incentives included in the HITECH Act, Steve argued that:

“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”

Steve also identified interoperability as a crucial goal for EHR systems:

“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”

You can read the full article here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009.  According to the FTC press release, aside from breach notification, the proposed rule also:

stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

             The full notice can be found here.

• Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009.  The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors.  Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR.  It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA.  ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009: 

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA.  Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Our own Steve Fox and HIMSS President H. Stephen Lieber were interviewed by Deirdre Kennedy of iHealthBeat, a daily news service from the California Healthcare Foundation, in an iHealthBeat Special Report about ARRA's impact on the healthcare industry and other hot topics discussed at this year's HIMSS conference in Chicago.  You can listen to this audio report here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Post & Schell is presenting a webinar featuring Vadim Schick and Peter Hardy, who will discuss the practical and legal issues created by the new and upcoming changes in the data privacy protection regime.  Topics will include:

• The Identity Theft Prevention Programs required by the Red Flags Rule
• New data breach requirements imposed by HIPAA
• Pending federal data privacy legislation that mirrors existing state laws
• What steps to take now to be prepared
• Why preparing now will save you money and grief later

You can view this presentation at your desk.  There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the GoToWebinar presentation:  register now.   After registering, you will receive log-in information for the April 7th webinar by e-mail.

Also, some of the issues discussed above, including compliance with the Red Flag Rules and HIPAA Privacy and Security Rules, are discussed in a new article by Peter and Vadim, "Preventing Data Breaches:  HIPAA Compliance and the Red Flag Rules," published in the April 2009 edition of Compliance Today, and accessible via this link.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors. 

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology.  In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually.   Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."  

However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology.  In part, Drs. Halamka, Bates and Middleton claim that:

The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers.  The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site. 

In Part I and Part II of the interview, Steve and Ed discuss the incentives for hospitals and physician practices included in the HITECH Act; new regulations to be promulgated by HHS Secretary under this Act; and what actions hospitals and physician practices should be considering at this time in order to qualify for the incentive payments under the Act.

Part III is coming soon, and we will update this entry when it is published on Healthcare-Informatics.com. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal.  IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records.  AP, San Francisco Chronicle (March 17, 2009).
• A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing).  This could result in a massive $22 billion reduction in drug and medical costs.  Government Health IT (March 17, 2009).
• Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry.  Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services.  According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology.   Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

• a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
• a graduate school of nursing or physician assistant studies;
• a consortium of two or more schools described above; or
• an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Physician practices are eligible to receive up to $44,000 per physician for meaningful use of certified EHR technology (as described here*):

• Up to $18,000 for the first year (dropping to $15,000 if first year is not 2011 or 2012); $12,000 for the second year; $ $8,000 in year 3, $4,000 in year 4 and $2,000 in year 5.  (See table after the jump.)
• There will be no incentive payments for practices establishing their meaningful EHR use after 2014 (e.g., beginning 2015).
• Meaningful EHR use by physicians will be further defined by regulations, but at a minimum, includes the use of e-prescribing and participation in “the electronic exchange of health information to improve the quality of health care, such as promoting care coordination,” i.e., HIEs or RHIOs.
• For the electronic exchange of health information to improve the quality of health care, such as promoting care coordination.
• There is a 10% premium for physicians with practices in under-serviced areas.
• However, if a physician practice does not achieve meaningful EHR status by 2015, Medicare reimbursement fees will be reduced by 1% in 2015, 2% in 2016, 3% in 2017 and beyond; and the Secretary will have the right to reduce fees by 5% starting in 2018 for those practices where meaningful EHR use is under 75%.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

Each eligible hospital (a “subsection (d) hospital,” as defined under 42 U.S.C. §1395ww(d)(1)(B)) which does not include psychiatric hospitals, rehabilitation hospitals, children’s hospitals or long term care hospitals) that achieves "meaningful" EHR use may qualify to receive from Medicare an amount equal to the product of the following formula:

Initial Amount
($2 million plus additional amounts calculated in accordance with each hospital’s Medicare discharges)

X

Medicare Share
(roughly, a hospital’s share of Medicare discharges over total discharges)

X

Transition Factor:

Year 1 – 100%
Year 2 – 75%
Year 3 – 50%
Year 4 – 25%
Year 5 – 0%

“Meaningful users” are hospitals or physician practices able to demonstrate that one’s EHR technology is connected in a way that improves the quality of health care through reported results on clinical quality and other measures selected by the Secretary. Meaningful EHR use includes quality reporting and may be demonstrated by attestation, survey response, appropriate claims or quality reporting, or such other manner as the Secretary specifies.  Of course, the question remains as to how HHS will define “meaningful” use, and we will just have to wait until the end of this year to find out. The concern is that if HHS raises the bar too high, it will exclude hospitals who will be unable to achieve it within a reasonable time.

“Certified EHR technology” will be technology that is certified by an independent body recognized by the Secretary as meeting standards for such technology established by the Secretary by rulemaking before Dec. 31, 2009.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

In the economic stimulus legislation recently signed by President Obama (the American Recovery and Reinvestment Act of 2009), the U.S. Congress has provided the health care industry with more than $17 billion in incentives to acquire and implement electronic health record (EHR) technology and the associated infrastructure.

The HITECH Act (“Act”) portion of the stimulus includes major incentives for, among others:

• Hospital systems;
• Individual physician practices (not affiliated with hospitals);
• Universities and institutions of higher learning;
• Health Information Exchanges (HIEs); and
• States and certain state-designated entities.
   

In addition to the incentives, the Department of Health and Human Services (HHS) will have broad discretion in determining the amounts of grants, loans or subsidies extended to potential beneficiaries. HHS will also propose a set of procedures for claiming or applying for such assistance, to be published in the Federal Register for comment.

• Email This
• Print
• Comments
• Trackbacks
• Share Link