See Washington Post article at "Cyberattack at health insurer exposed data on 11 million customers -- including medical information"
See Washington Post article at "Cyberattack at health insurer exposed data on 11 million customers -- including medical information"
See ABA Journal (American Bar Association) article at "Lawyer who clicked on attachment loses $289K in hacker scam"
See Modern Healthcare article at "Hackers breach Anthem; 80M exposed"
The draft regulatory language of Stage 3 of the meaningful use program, scheduled to start in 2017, has been submitted for review to the Office of Information and Regulatory Affairs in the Office of Management and Budget. The rules, submitted to the OMB by the Office of the National Coordinator for Health Information Technology, may reflect some of the discussions that have been taking place in the healthcare industry regarding lessons learned from the program’s roll-out so far.
See Modern Healthcare article at "EHR Stage 3 proposals go to OMB, hint at changes"
It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action. The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.
Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality. In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”
The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years. The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
Healthcare providers are, of course, paying close attention to these court rulings. But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action. These laws include FERPA and COPPA -- which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.
See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”
Electronic health records have been touted as having – and have proven to have – many benefits for healthcare organizations in terms of cost savings and efficacy of medical treatment. They are not, however, unalloyedly beneficial in the courtroom. As might be expected, the most important evidence in malpractice cases is medical records and now that they are digitized these records tend to be in EHR form. According to defense attorneys, electronic medical records come with their own set of problems for the provider facing a malpractice lawsuit. One striking issue is the “autofill” feature in EHR templates which automatically populates fields with data that may not be pertinent to the situation at hand. Other issues include technical glitches, as well as users not using the software correctly.
See Business Insurance article at "Malpractice suits often tap electronic medical records"
The American Health Information Management Association (AHIMA) recently released a set of guidelines regarding data governance of what it calls “information assets.” AHIMA asserts that the healthcare industry must manage the huge amounts of data it works with in an intentional, standardized manner across the industry. According to AHIMA, “information governance” is “…an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.” Prioritizing accuracy, timeliness and accessibility, AHIMA’s approach rests on eight principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.
See Modern Healthcare article at “AHIMA releases principles for new area: information governance,” and the 21-page AHIMA document at “Information Governance Principles for Healthcare”
In a development sure to draw attention, the California Supreme Court last week upheld a lower court’s dismissal of the $4.25 billion case against Sutter Health arising from an October 2011 data breach. A password-protected computer full of unencrypted data, stolen from one of Sutter Health’s Sacramento locations, contained records for 4.24 million patients. In July 2014, thirteen coordinated lawsuits in the case were dismissed by an appeals court. According to the appeals court, the case was dismissed because there is no evidence the stolen data has been used.
See Sacramento Business Journal (California) article at “California Supreme Court declines to review Sutter data-breach case”
A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible. A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in "Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records." The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors. One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.
See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”
Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market. Why? Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years. Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled. In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.
See Reuters article at “Your medical record is worth more to hackers than your credit card”
In its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market. In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.
Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts. Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.
See Modern Healthcare article at “FDA seeks cybersecurity assessments from medical-device makers,” the FDA press release, and the final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” online and in pdf form.
Uncertainty and disagreement regarding how to handle behavioral and other sensitive healthcare data such as HIV and reproductive health records has been a stumbling block for healthcare in various ways. Potential patients don’t seek help because of fear their records will be too widely released and the patients permanently harmed as a result. According to the Substance Abuse and Mental Health Services Administration (SAMHSA), one quarter of adults needing mental healthcare go without due to this fear, with that statistic rising to over 35% among young adults.
Meanwhile, healthcare providers want to provide more effective treatment by coordinating physical and behavioral care. To do this, sensitive PHI must be transferred from behavioral to physical care providers. However, behavioral healthcare and physical healthcare providers operate under different and sometimes mutually contradictory rules about how patient records may be handled and shared. Many providers have technology to handle only “less sensitive” healthcare records. Because the whole issue is in such a state of flux, little software exists so far to properly handle sensitive PHI. Even if the technology to handle sensitive data was easily available, purchasing additional software to handle such data is out of financial reach for many providers.
In the midst of all this, providers, vendors and federal agencies move forward in developing solutions. A new technological approach is to place patient-directed privacy controls on EHRs. The federal initiative promoting this type of technology is called DS4P -- data segmentation for privacy. A pilot software system being tested by University of Michigan Health and an Ann Arbor behavioral health provider compares behavioral health record requests made by UMH against the list of patient consent forms which are stored in the system. If a patient consent form in the system matches the request, the information is released to UMH through a secure portal.
See Modern Healthcare article at “Tech fixes ease sharing of sensitive patient data”
Until recently, healthcare software has been developed by IT professionals grounded in the healthcare industry. The latest arrivals to HIT development come from a range of non-healthcare industries. The vendor of one new product currently on the HIT market last developed software related to automobile sales, while another previously developed public relations software that helps customers manage their online image. Some observers worry that the newcomers’ disconnect from the healthcare arena threatens the success of products they may develop, but others say this freedom from preconceptions may lead to bold and successful innovation.
See Modern Healthcare article at "IT entrepreneurs rush into healthcare, but will human touch be missing?"
An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000. Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements. With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).
See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”
Healthcare providers cannot attest to meaningful use unless they use certified EHR software. Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data. This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.
The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records. The audit primarily reviewed the temporary program the ONC employed prior to 2014. This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it. For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen. This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain -- on the lists of certified products.
The ONC disagreed with the OIG report. The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant. The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been. Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program -- with passwords as short as a single character. The OIG found another significant issue that has persisted from the temporary program. If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product. The OIG report contains a set of recommendations addressing these and other concerns.
See Modern Healthcare article at “OIG faults ONC's electronic health record security provisions,” and a copy of the OIG report.
The Centers for Medicare and Medicaid Services issued a final EHR meaningful-use rule last Friday, consistent with the proposal it published in May. The rule will grant healthcare providers more time and some flexibility in how they meet requirements for the EHR incentive program. One of the points on which the rule grants more leniency is that the MU third stage deadline for the first wave of adopters will change from January 1, 2016 to January 1, 2017. Another is that providers who need the time will have an additional year to use 2011 Edition EHR software before they must implement 2014 software.
See Modern Healthcare article at “CMS finalizes EHR meaningful-use rule, adds some flexibility”
Steve Fox, Information Technology Practice Chair and Data Protection/Breach Co-Chair at Post & Schell, will speak as well as moderate a panel discussion on "Dealing with Vendors: Best Practices for Contracting and 3rd Party Compliance" in early September 2014 at the Privacy and Security Forum in Boston.
Via Health Privacy Forum:
As outsourcing continues to gain steam in the healthcare, security and privacy officers must be more vigilant than ever that cloud vendors and other business associates who handle PHI comply with HIPAA and make privacy and security a high priority. Your relationship with your vendors begins with a well-negotiated contract, which is vital to protecting your interests and limiting potential liability in the event of a breach, but it’s only half the battle.
Just because you have a contract in place, doesn’t mean you can be hands off about privacy and security issues.
In this session, Steven J. Fox, a leading healthcare IT attorney, outlines some of the key terms and conditions that make up the contractual foundation that covered entities need when working with HIT vendors and other business associates. He'll also cover:
* What due diligence should be performed prior to starting contract negotiations?
* How vendors should share information about privacy & security breaches with your organization?
* How often (if at all) should you audit or monitor a vendor’s privacy & security performance?
* How to make sure a vendor returns, destroys, or appropriately safeguards your data at the end of the business relationship?
Fox will also moderate a panel discussion and examine what providers should expect from their vendor partners when it comes to protecting PHI and what vendors can realistically deliver.
The cloud, popular because businesses can pay a monthly fee for computer-related services instead of paying for costly in-house hardware and the staff to manage it, has its drawbacks. One of these became painfully evident for two days in mid-August. While the fact has received surprisingly little news coverage, the internet experienced intermittent periods of brownout worldwide on Tuesday and Wednesday, August 12 and 13. This was understandably alarming to healthcare providers who were unable to access patient records during these periods. Not all EHR cloud storage providers were affected, and those that were, were able to resolve the problem by the end of Wednesday. For cloud EHR storage vendors that invest in what are known as “system redundancies,” backup systems activated if primary systems become unavailable, business continued as usual during this period. Smaller healthcare practices in particular, tending to have smaller budgets to spend on their EHR systems, often choose more affordable EHR programs from vendors with less robust system redundancies in place. According to the Wall Street Journal, global internet traffic has grown too voluminous for the global routing system currently in place. While engineers are working to upgrade the routing system, progress on this project is not keeping up with demand and periodic brownouts are likely to continue to occur. Healthcare providers can protect themselves against the effects of future brownouts in various ways including investing in hybrid EHR storage systems, and including uptime guarantee clauses in their vendor contracts.
For more information see:
“Internet Outage Left Doctors Without Records For Hours – Huffington Post – internet – Google News,” News Journal Online (August 19, 2014)
“Internet Brownout Exposes Risk of Cloud-Based EHRs,” Medscape (August 22, 2014)
“The 512K 'Crisis' Makes Its Mark: Network Engineers Were Left Scrambling to Keep Web Customers Connected,” Wall Street Journal (August 18, 2014)
While the healthcare industry has become well-acquainted with patent trolls, they are not the only industry that has been hit. According to a Boston University study, American businesses paid $29 billion in 2011 alone to patent trolls in “licensing fees” in order to avoid litigation. In response to the expanding activities of patent trolls, more formally known as PAEs (patent assertion entities), efforts have been underway at the federal and state levels to develop mechanisms for protecting businesses. A patent reform bill which passed the House of Representatives 325-91 in December 2013, and had President Obama’s vocal support, was dropped by the Senate Judiciary Committee in May 2014 shortly before it would have come to a vote on the Senate floor. Observers say a new bill on the subject is unlikely to appear before 2015.
States are coming up with some creative ideas to address PAE activities. States are suing PAE’s under existing state consumer protection laws, and are also passing new laws directed at the activities of PAEs specifically. Some of the new laws include fee shifting measures, requiring a PAE to post bond for the legal fees the target of their lawsuit would incur in order to facilitate their payment of their opponent’s legal fees if the PAE’s suit fails. Bad faith demand letters tend to share common traits including being so vague regarding the recipient's alleged unlawful behavior that the recipient is unable to determine the validity of the accusation which, in the case of PAE demand letters, is patent infringement. Measures in some of the new state laws address these letters specifically by legislating how demand letters must be written to be legal, and/or requiring PAEs to submit their demand letters to the state for approval before they may send them out.
Despite the states' energy around this issue, they are hampered in their efforts by a century-old Supreme Court decision. In 1912 the Supreme Court ruled that for the most part cases pertaining to patent law fall under the jurisdiction of federal courts. The case currently in the limelight testing how restrictive the 1912 decision will be for the states is Vermont v. MPHJ. MPHJ asserts that, pursuant to the 1912 Supreme Court decision, the Vermont state court system in which Vermont filed its lawsuit against MPHJ has no jurisdiction. The question has gone before the federal courts twice so far in this case. In April 2014, Judge William K. Sessions III of the U.S. District Court for the District of Vermont noted that what the 1912 Supreme Court ruling actually says is that "Federal courts have exclusive jurisdiction of all cases arising under the patent laws, but not of all questions in which a patent may be the subject-matter of the controversy." According to Judge Sessions, the Vermont case is about bad faith demand letters rather than about patent issues, and therefore, the state court does have jurisdiction. In August 2014, the U.S. Appellate Court for the Federal Circuit dismissed MPHJ’s appeal, remanding the case back to state court. According to observers, MPHJ is likely to file another jurisdictional appeal.
See additional information at:
“Patent-troll fight ends in retreat,” Burlington Free Press (July 7, 2014)
"Patent troll case referred back to Vermont courts,” Brattleboro Reformer (August 15, 2014)
"States go after patent trolls - how far can they go?" ABA Landslide Magazine (July/August 2014)
ICD-10 delay reopens door to broader discussion among providers: is ICD-10 even the right way to go?
The postponement of the deadline for healthcare providers to implement ICD-10 (International Statistical Classification of Diseases and Related Health Problems) would seem to help ensure that the transition to the new coding system will unfold successfully. However, it is also now allowing time for further discussion in the medical community about whether ICD-10 is the right choice at all. As Meaningful Use Stage 2 requires adoption of the many times more complex SNOMED (Systematized Nomenclature of Medicine), some practitioners suggest that the community should skip ICD-10 altogether. Pointing out that ICD-10 is already 25 years old, they suggest the industry’s time would be better spent transitioning to SNOMED, completing ICD-11, and then implementing that once finished. Others suggest that using two separate, parallel coding systems doesn’t make sense and that one or the other should be chosen and implemented. Of these, some feel the industry should use SNOMED only, claiming that the ICD coding system is geared so specifically toward facilitating reimbursement that it doesn’t support providers in delivering care.
See Modern Healthcare article at “ICD-10: Is it for clinicians or reimbursement?”
Members of the Senate Appropriations Committee have become concerned that different brands of electronic health records software, paid for with tax dollars, are incompatible with one another thereby preventing healthcare organizations from sharing data. A recent Rand Corporation report highlighted this issue and noted that some software is engineered to block sharing of data. The Senate committee is requesting an investigation into the issue, and in the meantime has drafted a bill asking that the ONC “…decertify products that proactively block the sharing of information….”
See Information Week article at “Senate Committee Seeks EHR Interoperability Investigation” and“Draft Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriation Bill, 2015” (PDF)
Attorney Steve Fox speaks on "Hidden Risks of Cloud Computing" at American Hospital Association conference
Healthcare IT attorney Steve Fox spoke on risks of cloud computing at the AHA's Leadership Summit held in San Diego this year. According to attorney Fox, the data which the health care industry handles is growing exponentially, a trend driven in large part by the increasing use of mobile devices. In his talk he explained that health care providers are adopting cloud and mobile technology for their affordability and convenience, but may be unaware of hidden costs in these new options. Fox asserts that cloud computing presents new challenges for health care organizations in terms of securing the applications and data. Issues with vendors may arise over service levels, security of information, ownership of information that is remotely hosted by a third party and use of hosted data by the vendor. In his presentation Fox provided advice on how to avoid some of the more important pitfalls with cloud computing. He said that technology may provide greater efficiencies, but it must be used responsibly and that patient information which passes through the technology must be responsibly handled as well.
Eighty-nine members of the U.S. House of Representatives signed a letter to the Centers for Medicare and Medicaid Services requesting that Medicare laboratories be exempt from EHR requirements. CMS had already postponed the deadline for laboratory pathologists to comply with the requirements by a year. The lawmakers, however, assert that EHR systems are unnecessary for diagnostic labs, and are too financially burdensome. They are asking that the requirement be postponed until at least 2020, if not waived permanently.
See The Hill article at “Lawmakers look to exempt Medicare labs from e-health records”
So far the FDA has reviewed a total of approximately one hundred mobile health apps since these apps started becoming available – and yet hundreds of new health apps appear on the market every month. As reported in our previous blog entries (see April 2014, and September and October 2013), the FDA is regulating health information technology with as light a touch as possible, in line with the FDASIA Health IT Report draft released in April 2014. This means that for now the FDA regulates only applications that fall under its “medical device software” definition – that is software intended for medical devices, or software that transforms a smartphone into a medical device. All other health-related software is considered lower risk or no risk and is currently not subject to pre-market regulation. Industry observers are, however, concerned that the sheer volume of new health apps coming to market is so great that the FDA may not be in a position to monitor much less regulate the new products adequately. Many apps, currently exempt from pre-market regulation, actually fall into a category between the low risk and higher risk definitions and may not be receiving sufficient oversight, observers worry. Lawmakers have called for Congress to establish a department within the FDA to focus specifically on mobile applications.
See PBS Newshour article at "FDA regulation can't keep pace with new mobile health apps"
A report just published in the Journal of the American Medical Informatics Association asserts that even if EHRs were not still relatively new, they are not exempt from the glitches all software can be prone to. Researchers evaluated data from the Veterans Health Administration which oversees a non-punitive, voluntary reporting program to encourage employees to report EHR-related safety incidents. The researchers focused on a set of almost 350 patient safety incidents that occurred between 2009 and 2013. The research team found that errors occurred because of both technical problems, and problems with how employees interpreted or used the technology. Technical problems most frequently related to how information is displayed, to software modifications and upgrades, and to transfer of data between different parts of the EHR system.
The researchers advise healthcare providers to implement robust programs to track and evaluate technical and human errors that occur in the context of EHR use. They suggest that providers incorporate the concepts set forth in the SAFER Guides issued in January 2014 by the ONC in setting up their monitoring systems.
For more information see
--- Modern Healthcare article at “Complicated, confusing EHRs pose serious patient safety threats”
--- Journal of the American Medical Informatics Association report at “An analysis of electronic health record-related patient safety concerns,” also available in pdf form
--- the SAFER Guides
Healthcare providers spend millions of dollars to comply with HIPAA in order to keep patients’ medical information private, and yet some of this same information is publicly available on the internet in court records of medical debt lawsuits.
Maybe it’s time to consider expanding HIPAA protections to routine debt collection lawsuits where patients’ protected health information is currently available to anyone with an internet connection.
See Modern Healthcare article at “Online records pose privacy risks in medical-debt lawsuits”
Dr. Jacob Reider, deputy national coordinator and chief medical officer for the ONC, told attendees at the Physician-Computer Connection Symposium this week that the ONC is looking to change how it uses clinical quality measures as meaningful-use criteria. While the ONC’s approach in the past has been to evaluate providers against a fixed list of requirements – for instance, a checklist of 816 items used for the meaningful use program – it is seeking a more ‘outside the box’ method for the future. One option being considered is to inquire of providers what quality measurement programs they may already have in place independent of federal requirements and to give them credit for these. Reider said the ONC hopes to improve the measurements it uses to monitor clinical quality nationwide by incorporating ideas developed by individual providers. Reider noted that the agency is ultimately looking to change the focus of the discussion from simply improving EHR quality to improving quality of care.
See Modern Healthcare articles at “ONC looks to new, more flexible approach on EHR quality improvement” and “Feds to weight value in more flexible approach to quality measures”
A group made up of accountable care organizations, telehealth technology vendors, and professional associations has issued a statement to the Department of Health and Human Services decrying the lack of cohesion in the body of regulations governing telemedicine at the present time. According to the group, several telehealth policies currently serve as disincentives to connected health implementation.
See Modern Healthcare article at “Trade groups, ACOs push telemedicine reg changes”
While vendors were able to supply the software needed for healthcare providers to comply with Stage 1 of the EHR incentive program, they are experiencing delays in developing the software needed for Stage 2 meaningful use compliance. In response to feedback from the healthcare community on this subject, the Centers for Medicare and Medicaid Services and the HHS' Office of the National Coordinator for Health Information Technology propose postponing Stage 2 implementation deadlines one year -- to take effect in 2015 instead of in 2014
Via Modern Healthcare:
For the second time this year, the federal government is pushing back a major health information technology initiative, potentially giving early adopters of electronic health records an extra year to meet more stringent meaningful-use requirements.
The CMS and HHS' Office of the National Coordinator for Health Information Technology issued a proposed rule last week that would give hospitals, office-based physicians and other professionals eligible for the EHR incentive program an additional year to use 2011 Edition software for their systems and continue to meet Stage 1 criteria for meaningful use of the technology.
The proposed rule means providers that entered the program in 2011 could have as many as four years using 2011 software at Stage 1 meaningful use.
If compliance with ONC regulations is challenging for healthcare providers in urban areas, with high concentrations of IT professionals, it is especially challenging for rural providers where IT resources in the form of human capital are scarce. The federal government's 2009 healthcare stimulus package, HITECH, provided funding for a national network of regional extension centers (RECs) designed to assist rural healthcare systems. While the program is considered very effective, its funding will dry up in 2014. Rural providers have devised a creative array of strategies to overcome their HIT staffing obstacles.
Via Modern Healthcare:
It took St. Claire Regional Medical Center, in the small town of Morehead in northeastern Kentucky, 2½ months to fill an open position on its computer help desk.
“We just don't see that many people who are even close to being qualified willing to work for the amount of money we're able to pay,” said Randy McCleese, vice president of information services and chief information officer of the 159-bed hospital. “That's part of what we have to deal with in the rural environment.”
Congress' decision this spring to delay the ICD-10 deadline has given healthcare providers some extra breathing space to make the transition, but many are seeking additional help in the form of new "language-to-code" translation software.
Via Modern Healthcare:
Despite the recent congressional delay in implementing the ICD-10 coding system, there is growing interest in a high-tech way of helping physicians convert their standard clinical terminology into the complex new payment codes. It's called “language-to-code” translation.
These translation systems are essentially computerized medical dictionaries stuffed with clinician-friendly descriptions in English or Latin of patient complaints, diagnoses and procedures, which are then linked to lists of clinical and billing codes. These words are presented to clinicians during preparation or updating of a problem list, for example, through software built into their electronic health records. Once a clinician selects a word or phrase, the software links it to code sets such as SNOMED CT—now available for free through the National Library of Medicine—the American Medical Association's Current Procedural Terminology, and ICD-9 and ICD-10.
Health IT blawger Steven J. Fox spoke to healthcare providers on contracting with cloud-based technology vendors at events sponsored by the Pennsylvania and American bar associations recently. Initially covered by AuntMinnie.com, the presentation has garnered further industry media attention, sparking three additional articles so far:
By September 2015 database managers hope to have a network in place that will link databases containing the PHI records of millions of people. The project is being implemented by PCORI, Patient-Centered Outcomes Research Institute, a non-profit organization formed at the behest of Congress as part of the 2010 Affordable Care Act. PCORI’s mission is to organize “comparative effectiveness” research in the healthcare industry regarding different treatment possibilities, drugs and devices. PCORI elected to use its funding to create a network pooling millions of patient records in aid of its mission. Issues still undecided include what pharmaceutical and insurance companies’ access to the data will be. PCORI asserts that the data, which will, in some cases, include links to genetic samples, will be anonymized before release to researchers. Critics worry that patient identities may not remain private (see "De-identified PHI records relatively easy to re-identify Harvard prof demonstrates").
See full Washington Post article at “Scientists embark on unprecedented effort to connect millions of patient medical records”.
All state governments dispose of large numbers of older computers each year, and while they all have procedures in place to scrub sensitive data from the hard drives before releasing them, there have been reports of slip-ups. An audit conducted last summer on computers approved for sale or donation by Washington state found that 9% still contained sensitive information such as Social Security numbers and health data including psychiatric records. Washington releases as many as 10,000 older computers each year. Since the audit, the state has changed how it processes computers destined for disposal including submitting them to an additional scrubbing procedure.
See full Consumerist article at “Washington State Sold Computers Loaded With Sensitive Personal Information,” as well as additional coverage at Spokesman-Review (Spokane, WA) and Govtech.com.
Last week the Food and Drug Administration (FDA), the Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC) announced the release of their draft FDASIA Health IT Report which incorporates the September 2013 recommendations of the FDASIA Workgroup (see our earlier blog entry). The 34-page report introduces a proposed strategy for a risk-based regulatory framework for health IT. The public is invited to comment.
See FDA announcement and the draft report itself at “FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework”.
'Fasten your contracts' or risk a bumpy ride in the 'Cloud' blawger Steven J. Fox warns healthcare providers
"Never accept the vendor's standard form contract as the final word; remember that everything is negotiable," cautions Steven J. Fox. Fox shared the podium with Lee Kim, HIMSS’ Director of Privacy and Security, at the HIMSS conference in Orlando to speak on “Hidden Pitfalls with Cloud, Mobile Technology, and Mobile Data". Fox, who chairs Post & Schell’s Information Technology Practice Group, spoke extensively on steps healthcare providers can take before and during contract negotiations to protect their interests. According to AuntMinnie, the medical imaging industry’s online news magazine, which covered the talk in depth, if you “[w]ant to implement a cloud-based health IT system…[you] need to perform thorough technical and business due diligence to ensure patient privacy and the availability and security of your data….” While this is good advice for any contract negotiations, cloud data storage’s unique set of issues – reviewed in the HIMSS talk -- makes these precautions especially vital.
See full AuntMinnie article at “Cloud IT use requires technical, business due diligence”
In a February incident at a Torrance, California medical billing company, burglars made off with several unencrypted computers. According to an announcement by San Francisco’s Department of Public Health, the loss resulted in the theft of 56,000 San Francisco area patient records, and compromised an additional 168,500 Los Angeles area patient records, The medical billing company, Sutherland Healthcare Solutions, is offering the affected San Francisco area patients free credit monitoring and recovery services. Sutherland has also committed to henceforth encrypt its computers, anchor them to office furniture, and require that all data be saved to shared drives rather than to individual computers.
See full LA Times article at “San Francisco patient records stolen in Torrance burglary”
PHI breaches that make the headlines often result from computer thefts or hacking. Another, less well-publicized vulnerability for PHI records, however, is in the realm of electronic mail which is arguably not a particularly secure form of communication. Over 100 billion emails were exchanged daily within the business community in 2013 and the number routinely exchanged within the healthcare industry is also enormous. Institutions and entities that work with PHI’s can consider some of the following issues and questions regarding email and PHI’s either on a case-by-case basis, or in developing broader policies:
- Email is not what it used to be: with continuing changes in technology, communication methods that have up until now been considered separate from email, may now also be considered email, including, for instance, telephone messages and faxes which are now routinely delivered by email.
- Is email the only or best way to transmit the PHI or is there another, more secure method?
- Is disclosing the PHI really required in this instance, or is it possible to simply allude to the information within the PHI more generally?
- The contracts governing interactions with business associates and other entities may themselves limit what and how communication occurs.
- Is encryption appropriate, and if so what is the best method?
See full AHLA Connections article at “Tips and Tactics for Transmitting PHI by Email”
While 89% of qualified hospitals and 65% of qualified individual medical professionals have received incentive payments, a significant number of these have dropped out of the incentive program in its later stages according to a recent GAO study. The report speculates on possible reasons for this phenomenon. One possibility is the fact that participants were not required to demonstrate meaningful use at earlier stages in the program, and then dropped out once that became necessary. Other reasons program dropouts gave ranged from that they had changed software companies and were not yet ready to provide CMS with the new EHR information to others which were unaware they were expected to continue participating in the program.
Via Modern Healthcare:
By one oft-reported measure, the federal government's electronic health record incentive payment programs have been an unmitigated success.
That measure is the increase in the number of hospitals and physicians (and other professionals) that have received payments from the programs under Medicare, Medicaid and Medicare Advantage for installing and "meaningfully using" EHRs. The payments are designed to incentivize providers to buy and use, in a meaningful manner, EHR systems.
Although the majority of healthcare care settings are now digitalized, lack of interoperability among the wide range of software applications now in place continues to be a problem. Several groups addressing this issue presented their innovations at this year’s HIMSS national conference in Orlando. Among the groups were the CommonWell Health Alliance, made up of EHR vendors committed to increased interoperability, and the newly-formed Carequality which includes UnitedHealth Group, Walgreen and Epic.
Via Modern Healthcare:
Several interoperability collaborations presented at the HIMSS conference demonstrated that information technology vendors and healthcare providers are focusing on connecting competing electronic health records and health information exchanges as well as medical devices and health IT systems.
ONC past and current leaders met this week to share thoughts on government’s role in the development of health IT in commemoration of ONC’s ten year anniversary. The agency, formed by then-President George Bush in 2004, was tasked with providing every American with an electronic medical record.
According to the ONC’s current leader, Dr. Karen DeSalvo, government is responsible for ensuring that the benefits of health IT are available to all. Former ONC chief Dr. Farzad Mostashari believes government should use the market to reach national health IT goals. However, noting the market’s natural drift away from competition, he stresses that the government – i.e., the FTC – is essential to keep the market functioning properly by blocking this tendency. Former ONC leader Dr. Robert Kolodner holds that the government’s $19.2 billion EHR incentive program has distorted the market and welcomes the end of the incentive program as a time in which, he says, consumers will resume control of the market.
When Dr. David Brailer began his tenure as the ONC’s first leader, he expected the agency would accomplish its goals and be phased out after ten years. Now he, along with the others, cannot imagine the future of healthcare IT’s ongoing evolution without the ONC continuing to play a central role.
Via Modern Healthcare:
Three former heads of the Office of the National Coordinator for Health Information Technology plus its current leader appeared on one panel at the Healthcare Information and Management Systems Society convention Wednesday, sharing their thoughts on health IT's history and future and the role government should play in it.
Alongside media reports in January of U.S.-U.K. plans to collaborate on healthcare data policy, National Health Service England announced its plans to combine the records of all its patients into a single database to be available by April. This week, the NHS halted the proposed program due to widespread concerns. Promoters of the program claim that the database will allow for medical advances, and that sales of the data to private companies will be necessary as the NHS is privatized. Opponents list a variety of potential problems with the database the contents of which will be available for sale to pharmaceutical and insurance companies. Uncertainty regarding who will have access to the data is a big concern. According to Phil Booth, director of a patient privacy group, “One of people's commonest concerns about their medical records is that they'll be used for commercial purposes, or mean they are discriminated against by insurers or in the workplace.” Still another worry is the fact that the £50 million plan will be illegal and will have to be terminated within a year or so if proposed EU laws are passed in the coming year. A recent poll found only 17% of the public supports the database plan, with 65% opposing it. The plan’s supporters are launching a publicity campaign to address the public’s concerns.
See full Telegraph (London) article at “NHS medical records database halted amid concerns”
Unity Health Plans Insurance Corporation, affiliated with the University of Wisconsin, discovered in December 2013 that an unencrypted external hard drive of medical records had disappeared. The records contained patient names, dates of birth, dates of service, and names of prescription drugs. Unity has notified the almost forty-two thousand individuals affected. The Department of Health and Human Services Office of Civil Rights has been notified of over 80,000 breaches since reporting began in 2003.
See Healthcare IT News article at “42K get HIPAA breach letters”
If managing often voluminous patient health records is a challenge for healthcare providers, it can be even more overwhelming for the patients themselves, especially if they develop multiple health conditions. In the aftermath of a family medical emergency, four brothers of the Dib family in Brooklyn have created a new medical records service. The brothers Dib claim that through their newly-launched website patients and their loved ones can easily access their medical records and – for a fee – do so without having to go through their doctors’ offices. As every EMT knows, speedy access to health records in an emergency can mean the difference for a patient between tragedy and staying alive.
See full Brooklyn Daily Eagle (NY) article at “Brooklyn brothers team up to build medical-records site”
The Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health Information Technology have selected products developed by McKesson Corp. and Meditech to test interoperability of EHRs. McKesson and Meditech have collaborated with ONC and National Institute for Standards and Technology in the past on earlier phases of this project. CMS and ONC invite other software vendors to participate in these trials.
Via Modern Healthcare:
The CMS and the Office of the National Coordinator for Health Information Technology designated the first two electronic health-record systems to test whether EHRs are interoperable as required under the Stage 2 criteria of the government's incentive program for the meaningful use of health IT.
Healthcare providers face many challenges in trying to keep up with ever more rigorous requirements for EHR software compliance. EHR software vendors seem to be struggling, too, in many cases causing their clients to fail the federal EHR certification requirements, thereby losing eligibility for incentive payments. Montana’s Mountainview Medical Center, which failed the October 1, 2013 certification deadline, is one of the first healthcare providers to take this issue to court.
Via Modern Healthcare:
A small Montana hospital may be among the first of many providers to go to court to resolve their frustrations with electronic health record systems developers that are either lagging or failing to update their software to the new, more stringent testing and certification requirements of the federal EHR incentive payment program.
Mountainview Medical Center in White Sulphur Springs is suing NextGen Healthcare Information Systems in federal court for failing to provide a certified EHR system in a timely manner.
WEDI, Workgroup for Electronic Data Interchange Foundation, recently announced release of its 2013 report, generated in partnership with healthcare industry leaders. The report identifies the following four critical focus areas:
•Patient Engagement: consumer (patient) engagement through improved access to pertinent healthcare information.
•Payment Models: Business, information, and data exchange requirements that will help enable payment models as they emerge.
•Data Harmonization and Exchange: Alignment of administrative and clinical information capture, linkage, and exchange.
•Innovative Encounter Models: Business and use cases for innovative encounter models that use existing and emergent technologies
The report also presents a set of recommendations for the development of healthcare information exchange over the next ten years.
As there has been no financial benefit up until now to EHR system and medical device companies for making their software interoperable, they have, by and large, not done so. On the other hand, full interoperability could benefit the U.S. health care system to the tune of as much as $30 billion a year in savings according to recent estimates.
So why are health care providers not using their tremendous purchasing power to insist on interoperability? Apparently the conventional process by which hospitals acquire new software and equipment – usually via big contracts only once every ten years or so -- significantly undermines their ability to influence manufacturer behavior – and specifically product design decisions -- on an ongoing basis.
Despite these and other barriers to interoperability, pressure to require that EHR systems and medical devices are interoperable is building in various quarters -- from health care providers’ groups, to the FDA via new voluntary standards, to a group of medical device makers who made a public commitment to interoperability this past year.
Via Modern Healthcare:
The typical hospital bed in an intensive-care unit is surrounded by as many as a dozen medical devices that monitor the patient, track blood pressure and heart rate, dispense medications and perform other vital functions.
Health care providers have a long history of protecting sensitive patient information but the fact that more and more health care equipment is now connected to the internet opens up this data to a new range of exposure risks. All hospitals currently do have formal strategies to protect medical device security in order to comply with federal regulations, but according to an ECRI Institute survey, less than half have comprehensive facility-wide cybersecurity management policies in place.
Via Modern Healthcare:
When Dick Cheney learned hackers might be able to alter his pacemaker's settings, he asked his physicians to sever the device's wireless Internet connection.
His physician used that connection to monitor the device's functionality. Cheney feared some terrorist would reprogram the device to kill the former vice president.
A website of the North Carolina Department of Health and Human Services (DHHS) that is intended to provide transparency regarding how government moneys are spent got a little too transparent recently when it displayed sensitive information belonging to more than 1,300 health care patients. DHHS inadvertently published PHI (protected health information), including patients’ names, addresses and payment amounts on NC Openbook, a state website designed to provide transparency for payments made to government vendors and contractors. Some of the information was especially sensitive, since it involved patients receiving mental health treatments. DHHS has issued an apology and sent notification letters to all of those affected. In addition, the agency notified the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification rules. As a result, this breach will appear on HHS’s “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) where the HITECH Act requires all breaches affecting more than 500 individuals to be posted.
Unlike so many breaches caused by the accidental loss of a thumb drive or laptop, this breach demonstrates the need for ongoing training of employees who deal with PHI. Training is not just for new employees of an organization. It has to be an integral, ongoing part of every organization’s policies and procedures to avoid the kind of breach described here.
To see the WSOC TV story on this, click on: http://www.wsoctv.com/news/news/local/state-apologizes-patients-records-posted-internet/nbm86/.
"Healthcare Dive" interviews "Health IT Law" blog founder Steven J. Fox regarding pitfalls to avoid in electronic medical record (EMR) contracts
"No matter how well you investigate an EMR, it's possible that the product won't be as usable as it seemed when you first tested it. But that's not the only EMR risk your hospital or medical practice needs to address. Steven Fox, Principal with Post & Schell, told us about several other EMR contract gotchas that can potentially lead to serious problems for your business."
See full Healthcare Dive article, excerpted above, at “Signing an EMR contract? Avoid these 5 gotchas”
Following up on our September 2013 blog entry, “How much pre-market regulation should the FDA impose on health IT?,” we note that Congress last week introduced a bill empowering the Food and Drug Administration to regulate mobile health applications. Entitling their bill the SOFTWARE Act – Sensible Oversight for Technology which Advances Regulatory Efficiency -- the bill’s bipartisan sponsors concur with the prevailing view that such regulation should be kept to a minimum, supporting innovation while protecting consumer safety,
As the September blog entry emphasized, the crux of the issue is defining which mobile health apps are considered to be employed in “’higher risk’ use cases” – and should therefore be regulated – and which apps are considered to be employed in lower risk or no risk situations, and can therefore be subject to less or no regulation.Continue Reading...
In a judicial decision sure to garner attention, a California state appellate court decided last week that UCLA Health is not liable for patient data breaches due to a 2011 theft. It is important to note, however, that regardless of this decision, in the event of any breach affecting the records of 500 or more patients, health care organizations will still be held to all HIPAA regulations, including reporting requirements and possible fines levied by the U.S. Department of Health and Human Services.
See Payers and Providers article at "Privacy Ruling Benefits CA Hospitals: They May Not be Liable For All Stolen Data, Court Rules"
Bankruptcy law is designed to give a struggling company the respite it needs to reorganize itself and hopefully get a fresh start, even if this means severing existing business relationships. But what happens when the bankrupt company is a licensor of intellectual property and the business relationships it is severing are with its licensees? The law is in a constant race to keep up with technological advances, and nowhere is this more evident than in the arena where bankruptcy and intellectual property law overlap.
See Landslide (publication of the American Bar Association’s IP Law Section) article at "Intellectual Property Licenses in Bankruptcy: Can Lubrizol, § 365(n), and Sunbeam Be Reconciled?"
Dr. Farzad Mostashari, former chief of the Office of the National Coordinator for Health Information Technology, shared thoughts and concerns in his first address since stepping down, at a conference of the College of Healthcare Information Management Executives. Dr. Mostashari, who will be on staff at the Washington-based Brookings Institution, addressed the topic of HIT usability as well as communication across the healthcare industry in his comments.
Via Modern Healthcare:
Dr. Farzad Mostashari didn't quite bare his soul to a bunch of hospital CIOs, but the man who was indefatigably buoyant as the nation's federal health information technology czar did pull back the curtain a bit and offered an assessment of his own concerns as well as some "insider clues" in his first speech since leaving federal service.
Mostashari stepped down as head of the Office of the National Coordinator for Health Information Technology on Oct. 5.
During this year’s National Health IT Week in Washington, DC, CHIME presented its State Public Policy Award for CIO Leadership to Geoff Brown, senior VP and CIO of Virginia-based Inova Health System. Brown, who is currently chair of the Virginia Health Reform Initiative Advisory Council’s technology committee, has a long record of service dedicated to the advancement of healthcare technology in the state of Virginia.
See healthsystemcio.com article at "Brown Recognized For State Policy Work”
RICO, the federal Racketeer Influenced Corrupt Organization statute passed in 1970 is known primarily from headlines regarding cases against organized crime figures. The law is now being used on a new target -- patent trolls.
See Washington Post article at "Here’s how a law designed to fight the Mafia could stop abusive patent lawsuits"
How much pre-market regulation should the FDA impose on health IT? Work group issues recommendations
The Food and Drug Administration Safety Innovation Act (FDASIA) work group, made up of experts from various branches of the healthcare industry, recommends that the FDA proceed with as light a touch as possible in reviewing new health information technology products. The work group’s new report suggests that reducing regulatory burdens on the software industry – with exceptions for technologies pertaining to higher risk medical procedures – frees developers to generate the technological innovations the healthcare industry needs at a faster pace.
Via Modern Healthcare:
Health information technology should not, as a general rule, be subject to pre-market regulation by the Food and Drug Administration as many medical devices are today, according to a work group giving advice to three federal regulatory agencies.
The experts, however, carved out some exceptions to that broad recommendation, part of an ongoing look by the federal government into the patient safety implications of the expanding use of health information technology.
Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records
Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen. Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.
Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this. I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue). No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all. So the take-away: encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.
Via Modern Healthcare:
The recent massive data breach at Advocate Health Care has already had legal consequences.
Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.
Up until now, initiatives under the Patient Protection and Affordable Care Act – also known as the ACA or Obamacare -- have focused on facilitating healthcare’s shift from paper to electronic recordkeeping. Stage 2 of the three-stage “Meaningful Use” program, which is intended to encourage patient engagement with the new electronic records systems, rolls out this fall. To inspire healthcare providers’ creativity in devising means of enticing patients to participate, extra Medicare and Medicaid payments are available to organizations that meet specific criteria of success in their efforts.
See U.S. News & World Report article at "Helping Patients Stay Engaged in their Own Care: Will electronic record keeping make patients more willing to take part in keeping themselves healthy?"
The EHR system of Sacramento, California-based Sutter Health, which provides healthcare in over 100 towns and cities in the region, crashed on August 26, leaving physicians and other healthcare workers without access to patient records at numerous locations.
See Healthcare IT News article at “Setback for Sutter after $1B EHR crashes”
The state of Maryland’s Consumer Protection Division and CVS came to an agreement this week comprised of a $250,000 penalty as well as a corrective action plan that will include employee training and monthly audits of CVS stores in Maryland. The state’s allegations included charges that CVS has been improperly disposing of protected health information.
View Maryland Office of the Attorney General announcement here.
See Baltimore Business Journal article at "CVS to pay Maryland $250,000 to settle expired products allegations”
Following up on my recent post on the matter, I had the opportunity to speak with Colin O'Keefe of LXBN regarding Affinity Health Plan's photocopier PHI leak. In the interview, I explain how the leak happened and what companies can do to make sure it doesn't happen to them.
Minnesota draws on Scandinavian heritage in battle with modern-day trolls; states begin to address patent troll issue
In May 2013 the state of Vermont filed a complaint against alleged “patent troll” MPHJ Technology accusing it of violating the state’s Consumer Protection Act. This week the Minnesota attorney general’s office announced a settlement with the company which it started investigating in 2012. Terms of the Minnesota settlement include a fine as well as requiring MPHJ Technology to obtain permission from the attorney general before operating in the state in future.
While the Minnesota settlement does not directly relate to the HIT arena, the healthcare industry is watching this new development with interest, as the issue is one of growing concern among clients and other healthcare organizations. Many healthcare clients have already reported aggressive tactics by patent trolls, as well as by companies that preface their “inquiries” with the announcement that they are not patent trolls.
We will continue to monitor this area for further developments.
See Washington Post article at " Minnesota settlement orders Delaware company to stop ‘patent trolling ‘"
In 2010 CBS Evening News purchased a photocopier previously used by New York City area Affinity Health Plan and discovered patient-identifiable medical records on the device’s hard drive – which had never been erased. The photocopier was one of approximately seven Affinity sold or returned to leasing agents around the same time. Affinity estimates the breach involved over 300,000 records and will be paying in excess of $1.2 million in a settlement agreement with the Department of Health and Human Services.
Via Modern Healthcare:
Healthcare organizations need to consider all kinds of digital devices, including photocopy machines, in examining their data security.
That's the takeaway from HHS' Office for Civil Rights announcement that Affinity, a managed-care plan serving the New York metropolitan area, will pay more than $1.2 million in a settlement agreement for a breach of personally identifiable health records under the privacy and security protections of the Health Insurance Portability and Accountability Act of 1996.
Much of the focus of the healthcare industry’s advance into the electronic era so far has been on converting patient information to electronic health records. Now that progress is being made on that front, some of the emphasis is now shifting to HIE – health information exchange. This week the Department of Health and Human Services released “Strategy and Principles to Accelerate HIE [PDF - 714 KB]” intended to support delivery and payment reform, among other goals.
HHS Office for Civil Rights settlements have up until now required healthcare providers to pay a settlement amount and to implement a corrective action plan. OCR’s recent settlement with WellPoint breaks from this pattern.
See AIS Health article at "WellPoint Settles with OCR for $1.7 Million; No Corrective Action Plan Is Required"
Harvard University professor Latanya Sweeney caused a stir in 1997 when she found the medical records of former Massachusetts Governor Weld in a redacted data set. Her recent activities are really causing state governments to sit up and take notice. She successfully re-identified the de-identified medical records of Washington state hospital patients -- by combining the limited information available within the hospital data sets with publicly available information.
See Bloomberg News article at "Patients ID’d From Hospital Records Trigger State Reviews".
The lucrative stolen identity market is taking a new turn into health insurance data. Those seeking a new identity can now obtain a full set of credentials including all the information and documentation needed to use someone else’s health insurance.
See Dark Reading article at “Hackers Hawk Stolen Health Insurance Information In Detailed Dossiers.”
In an address at the National Press Club this week Farzad Mostashari, National Coordinator for Health Information Technology, reviewed the healthcare industry’s progress in digitizing health records. As mentioned in previous posts on this blog, physician adoption of EHRs continues to advance. Mostashari quoted a recent study by the CDC’s National Center for Health Statistics which noted that adoption of at least some form of EHR system rose from 25% in 2010 to 72% in 2012. The study further found, not surprisingly, that physician practices of 11 or less, as well as physicians aged 65 and over, have been digitizing their records at a slower pace. HIT chief Mostashari predicts another big rush in EHR adoptions just prior to the October 2014 deadline for participation in the incentives program.
While Mostashari finds progress in EHR adoption heartening, he says there is still a long way to go as communication among EHR systems continues to pose a challenge.
For more see:
“More Doctors Adopt Electronic Health Records,” Kaiser Health News
In October 2014 all health care providers covered by HIPAA will be required to make the switch from ICD-9 (International Classification of Diseases-9) to ICD-10. The ICD-9 is now 30 years old and the United States is the only industrialized country that has not yet upgraded to ICD-10. Via a recent survey by the Medical Group Management Association, however, physicians expressed concerns regarding the costs of conversion, and whether the technology will be in place in time to meet the deadline.
Via Modern Healthcare:
With 16 months left before the CMS expects the healthcare industry to flip the switch to ICD-10, physicians are still expressing significant worries with the readiness of the technology that has to be upgraded to pull it off. They're also signaling resignation that the long-delayed conversion will really happen this time.
In a survey of more than 1,000 office-based physician practices by the trade group MGMA, more than half of the respondents indicated they were “very concerned” about the overall cost of the conversion to the new diagnosis and procedure codes, scheduled for Oct. 1, 2014.
The U.S. Senate Committee on Finance heard testimony this week from industry representatives on EHR conversion’s impact on healthcare quality. One concern voiced more than once was that metrics for measuring progress are not standardized across the industry, making it difficult to judge what success has been achieved. Speakers expressed the opinion that while EHR conversion is not the only method of improving healthcare, it has tremendous potential to do so.
See Healthcare IT Newsweek article at “Senate hearing: EHRs still falling short.”
Computer viruses in medical devices: who should bear the costs for combatting? FDA issues warning, takes action
Computer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware. (See our October 2012 blog post "Computer viruses on hospital medical devices: a growing concern; possible solutions"). The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.
Via Modern Healthcare:
The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.
Negotiating favorable contracts with IT vendors requires skill and determination on the part of healthcare providers, on a playing field that currently favors vendors. Blawger Steven J. Fox and three healthcare IT leaders share their insights in this in-depth article.
See Healthcare Informatics article at "Time for New Rigor on Vendor Contracts".
This week health care organizations were startled and not a little concerned to learn of the ONC's unprecedented action with regards to a California health software company. The agency is decertifying electronic health records systems which initially met ONC requirements for certification.
Via Modern Healthcare:
For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they're already using.
Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.
The healthcare industry continues to face a greater deficit than ever in terms of qualified professionals to fill its ever-expanding information technology staffing needs.
Via Modern Healthcare:
Many U.S. healthcare companies – about 67% -- report that they’re struggling to attract experienced information technology workers, according to a survey.
That’s compared with 10% that said they have problems attracting all workers, according to the "Towers Watson 2013 Healthcare IT Survey" (PDF). Meanwhile, 38% of healthcare companies reported problems with retaining experienced IT workers, compared with 8% reporting problems retaining all types of workers.
Looking for a central source of information on all the federal government’s initiatives to digitize the health industry? Try the Centers for Medicare & Medicaid Services’ new eHealth (http://www.cms.gov/eHealth/) website.
Via Modern Healthcare:
The CMS launched the eHealth initiative this week as a central repository for information on the federal government's digital record-keeping and electronic prescribing initiatives.
The page provides a central location to search the CMS site for details of the major digital health initiatives, including the $22 billion electronic health-record incentive program, the hospital inpatient quality reporting system and the e-prescription incentive program.
The health IT industry's pitch to Congress, and to the public, was that health care would be transformed through digitization, and that the shift to electronic records would result in huge health care savings. Four years after the passage of ARRA and the HITECH Act, which included $19 billion in EHR incentives, it remains to be seen whether the federal government and the American public will see such benefits as reduced costs and improved levels of health care. Meanwhile, the software industry appears to be the big winner.
For more, see the New York Times article by clicking here: "A Digital Shift on Health Data Swells Profits in an Industry".
Our blog is proud to be featured in the Top 100 Health Care Organizations to Watch in 2013. The designation was published by MHAPrograms.org, a website that highlights the most prominent organizations and information resources across health care and health care administration. In addition to highlighting the blog’s authors, MHAPrograms.org specifically noted the diverse topics covered by the Health IT Law blog, including features on ARRA, HIPAA, HITECH Act and the related regulations, as well as privacy and security issues more broadly.
The complete article and list can be found here.
Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith. At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations. He warned that he will impose more regulations if necessary.
See Healthcare IT News article at "Mostashari calls on vendors to play fair".
The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.
Via Modern Healthcare:
The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.
Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.
HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Via HHS Press Release:
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Centers for Medicare & Medicaid Services will postpone the start of HIPAA Transaction Rules compliance enforcement for 90 days, according to a recent announcement.
Today, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that to reduce the potential of significant disruption to the health care industry, it will not initiate enforcement action until March 31, 2013, with respect to HIPAA covered entities (including health plans, health care providers, and clearinghouses, as applicable) that are not in compliance with the operating rules adopted for the following transactions as required by the Affordable Care Act: eligibility for a health plan and health care claim status. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for using the operating rules remains January 1, 2013.
In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.
This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.
Via HHS Press Release:
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.
The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
HHS Inspector General: Medicare EHR incentive program lacks adequate safeguards against error and fraud
The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.” The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost 28,000 recipients. The Inspector General’s office concluded that Medicare needs to improve its review process.
Link to report here.
Via Modern Healthcare:
The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS' inspector general's office.
The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, "Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program" (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general's office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general's office also is conducting "a series of audits of Medicare and Medicaid EHR incentive payments" to "verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.
Hackers recently infiltrated South Carolina's state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency. State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.
See New York Times article at "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere".
Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure. Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately. Others, however, were negatively impacted, including some which lost access to their EHRs.
It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization's data - including patient data - is readily available, and is never lost due to a storm or an earthquake.
Via Modern Healthcare:
Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.
The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.
One Manhattan hospital was forced to evacuate 300 patients hours after Sandy's landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.
Medical device security experts report increasing issues with computer viruses on hospital medical devices. Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems. The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.
See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".
The HHS Office of the National Coordinator for Health Information Technology is passing management of the Nationwide Health Information Network to a coalition of public and private health care organizations.
Via Modern Healthcare:
Following last month's announcement that "now is not the time" for formal regulation of a proposed network of health information exchanges, HHS' Office of the National Coordinator for Health Information Technology said it is transitioning control of that network—known as the Nationwide Health Information Network—to a public-private partnership known as the eHealth Exchange.
Health education information incomprehensible to many; HHS program to rate EHR-linked education materials for "understandability"
Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people. HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.
Via Modern Healthcare:
HHS' Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.
The agency's Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.
Sharing EHR notes between providers and patients improves care, patient loyalty among other benefits
According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.
Via Kaiser Health News:
Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.
When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident. It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives. The MEEI data breach, on the other hand, involved only 3,621 patient records.
Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.
Via Modern Healthcare:
HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.
The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.
State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records. A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.
Via Modern Healthcare:
Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.
Development of the electronic patient-consent management system came in response to the VA's and SAMHSA's own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.
National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program. According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.
Via Healthcare IT News:
WASHINGTON – There are no set appropriations for how much the federal government can spend on rewarding providers who adopt and use electronic health records under the Medicare and Medicaid meaningful use EHR incentive program, according to National Coordinator for Health IT Farzad Mostashari, MD.
"Whoever qualifies, gets paid; there's no hard cap," said Mostashari, who gave a keynote at the Annual Policy Summit for the Health Information Management and Systems Society (HIMSS) on Wednesday.
According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.” The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”.
The study's report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can "significantly improve their organizations’ security posture and reduce risk":Continue Reading...
In preparation for the launching of ONC's permanent EHR system testing and certification program, part of the EHR incentive payment initiative, ONC has authorized five groups as permanent EHR certifiers.
Via Modern Healthcare:
Even though the new regime for testing and certifying electronic health-record systems under the federal EHR incentive program won't take effect until October—and testing against newly released criteria might not begin until year's end—federal authorities have given five organizations the OK to certify software for that program.
HHS' Office of the National Coordinator for Health Information Technology has authorized the Certification Commission for Health Information Technology, the Drummond Group, ICSA Labs, InfoGard Laboratories and Orion Register to serve as certification bodies under the EHR incentive payment program, according to ONC spokesman Peter Ashkenaz. The program was established by the American Recovery and Reinvestment Act.
Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records. Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.
This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a "hostage" situation like the one described below.
Via Bloomberg News:
As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.
The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.
Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.
The doctors turned the server off and notified the authorities, refusing to pay.
Centers for Medicare and Medicaid Services (CMS) released the final requirements for Stage 2 of Meaningful Use, which health care providers must meet in order to qualify for incentives during this stage of the program, and criteria that electronic health records must meet to achieve certification.
Via CMS press release:
The requirements announced today:
Make clear that stage two of the program will begin as early as 2014. No providers will be required to follow the Stage 2 requirements outlined today before 2014.
Outline the certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they use will work, help them meaningfully use health information technology, and qualify for incentive payments.
Modify the certification program to cut red tape and make the certification process more efficient.
Allow current “2011 Edition Certified EHR Technology” to be used until 2014.
The CMS final rule also provides a flexible reporting period for 2014 to give providers sufficient time to adopt or upgrade to the latest EHR technology certified for 2014.
Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR. Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy. The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised. According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches.
Via Modern Healthcare:
Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.
Over half of U.S. doctors now use electronic medical records, and half of the remainder plan to start in the coming year, a new poll has found.
TUESDAY, July 17 (HealthDay News) -- A majority of U.S. physicians have now adopted an electronic health record system as part of their routine practice, a new national survey reveals.
The finding is based on responses provided by nearly 3,200 doctors across the country who completed a mail-in survey in 2011. The survey was conducted by the U.S. Centers for Disease Control and Prevention's National Center for Health Statistics as part of an ongoing three-year effort (continuing through 2013) designed to assess perceptions and practices regarding electronic health record systems.
Patients increased their preventive care significantly after being given access to their medical records online in a recent study. These health care consumers’ use of preventive care measures such as cancer screenings, and immunizations, were higher than those of consumers without online access to their EMRs.
In a clinical trial at eight primary care practices, researchers found that patients who used such "interactive" health records were more likely to become up-to-date on recommended preventive care.
That included screening tests for breast, colon and cervical cancers, and immunizations like the yearly flu shot.
After 16 months, 25 percent of patients who used the online records were up-to-date on their preventive care - which was double the rate of non-users.
The mounting economic challenges and the uncertain regulatory environment ensure that the pace of mergers in the healthcare industry will continue to accelerate, at the same time as the industry is moving into the digital age. Converting a single health care system from paper to meaningful-use certified electronic medical records (EMR) software is incredibly challenging and time consuming. However, conducting such transition while two health care entities are merging is more than twice as difficult because the potential for patient-endangering errors is very high, especially while merging non-complementary EMR systems.
Via Wall Street Journal:
Hospitals around the country are finding themselves forced to juggle the demands of moving to electronic health records, just as a wave of mergers disrupts the healthcare industry.
In the latest deal, two of New York’s biggest hospital chains, NYU Langone Medical Center and Continuum Health Partners, agreed to pursue discussions of a merger last week. The potential merger is the latest hospital marriage as healthcare systems around the country seek greater efficiency. Last year, Provena Health agreed to merge with Resurrection Health Care. Ascension Health, the nation’s largest Catholic health system, also agreed in 2011 to join with Alexian Brothers Health System. A March report from Moody’s said that the pace of hospital mergers will only quicken, as reimbursements from both Medicare and private insurers shrink.
A surge in data privacy breaches and the accompanying string of recent HHS enforcement actions should serve as an important reminder to healthcare providers regarding the importance of data privacy protection and the skyrocketing costs of failures to comply. 2011 saw a 97% increase in the number of data breaches, as reported by the Salt Lake Tribune in the context of the massive breach of health information privacy in Utah earlier this month.
At the same time, HHS has stepped up its enforcement actions. Last week, we touched on the $100,000 OCR settlement with a cardiology practice in Arizona. Last month, HHS reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) for a breach of about 1 million unencrypted patient records which resided on over 50 stolen hard-drives. However, the $1.5 million settlement amount was dwarfed by the $17 million BCBST had to spend on notification and credit monitoring expenses, as well as investigating and correcting the breach.
The BCBST settlement is a good reminder that breaches and noncompliance can be extraordinarily expensive, even without the federal and/or state regulatory fines. A December 2011 Ponemon Institute study found that data security breaches cost the healthcare industry $6.5 billion in the year leading up to that study. Just last month, a medical records company filed for bankruptcy after its offices were burglarized and medical records of over 14,000 people were stolen. The costs and expenses associated with that breach were so high that the firm had no choice but to go out of business.Continue Reading...
On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via HHS Press Release:
In a November 2011 'We Can’t Wait' announcement, the Department outlined plans to provide an additional year for providers who attested to meaningful use in 2011. Under today’s proposed rule, stage 1 has been extended an additional year, allowing providers to attest to stage 2 in 2014, instead of in 2013. The proposed rule announced by ONC identifies standards and criteria for the certification of EHR technology, so eligible professionals and hospitals can be sure that the systems they adopt are capable of performing the required functions to demonstrate either stage of meaningful use that would be in effect starting in 2014.
The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.
Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.
The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.
'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'
HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:
Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.
HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.
Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.
We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.
"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).
HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.
Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare. Via Modern Healthcare:
So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.
In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.
This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.
Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.Continue Reading...
The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).
The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.
The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.
“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.
As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.
You can find and download the Meaningful Use workgroup's recommendations by clicking here.
On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:
'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'
People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.
The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.
You can view and download the proposed rule by clicking here.
HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.
The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.) Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:
The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”
“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.
According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.
Such omnibus regulation will cover:
- HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
- The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
- Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.
CMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.
CMS also released a preview of the Attestation System. This preview includes attestation screenshots and is intended to give examples of what the attestation process will look like. CMS promised to release additional information about the attestation process soon, including "User Guides" that will give step-by-step instructions for completing attestation, along with educational webinars that describe the attestation process in depth.
Finally, CMS noted that providers will follow a similar process using their state's Attestation System. Such providers may find their state's scheduled launch dates of their Medicaid EHR Incentive Program by clicking here.
You can download the preview by clicking here.
For more information, please visit CMS's EHR Incentive Program web site.
Dr. David Blumenthal, the head of the Office of the National Coordinator for Health IT (ONC), announced yesterday in a letter to his staff that he's leaving the ONC and returning to his position at Harvard University.
According to Dr. Blumenthal, the move was "planned" and is expected to take place this spring. Here is a copy of his letter, via Healthcare IT News:
As you know, I have told Secretary Sebelius that I will be returning to my academic home this spring, as was planned when I accepted the position of National Coordinator for Health Information Technology. While we still have important work to do together, including the assurance of a productive transition for ONC, now is the time for me to express my deep gratitude to all of my ONC colleagues, and my admiration for all you have accomplished.
We have been privileged to be at the center of a great new enterprise at an historic moment in our health care system. For years America’s health policy leaders have understood that information technology offered the opportunity for transformational improvement of the Nation’s health care system and the health of individual Americans. Yet the obstacles are formidable: our fractured health care system, our dysfunctional payment methods, the lack of an infrastructure for exchanging health information, and more.
Via Healthcare IT News:
The Spending Reduction Act of 2011 (H.R. 408), introduced on January 24 by Rep. Jim Jordan (R-Ohio), seeks to reduce federal spending by $2.5 trillion over the coming decade. As it does so, it singles out many federal programs for elimination.
Section 302 of the bill, titled "REPEAL OF CERTAIN STIMULUS PROVISIONS," states that "effective on the date of the enactment of this Act, subtitles B and C of title II and titles III through VII of division B of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5) are repealed, and the provisions of law amended or repealed by such provisions of division B are restored or revived as if such provisions of division B had not been enacted."
Since the Medicare and Medicaid EHR Incentive Programs set up under the ARRA/HITECH Act of 2009 fall under division B, it would appear that the $27 billion earmarked for disbursement to healthcare providers to spurring EHR adoption would fall on the chopping block were the bill to ever pass.
For good measure, Jordan's Republican Study Committee also decrees that the enacted legislation would "further prohibit any FY 2011 funding from being used to carry out any provision of the Democrat government takeover of health care, or to defend the health care law against any lawsuit challenging any provision of the act.
Center for Medicare and Medicaid Services (CMS) opened the registration process for eligible hospitals and professionals hoping to capitalize on the incentive payments provided under the HITECH Act. Each such hospital or professional needs to register with CMS in order to receive such payments, and CMS encourages all eligible healthcare providers to register as soon as possible.
You can find the EHR Incentives Program registration page by clicking here.
According to Government Health IT, over 4,000 providers have already registered with CMS. Several states have also launched registrations for their Medicaid incentive programs. Moreover, hospitals in Oklahoma and Kentucky have already begun receiving incentive payments:
Kentucky processed payment to the University of Kentucky Healthcare, the university’s teaching hospital, for $2.86 million. The first payment amounts to one- third of the hospital’s overall expected amount for participating in the program, according to CMS. Oklahoma issued payments to two physicians at the Gastorf Family Clinic of Durant, Okla., for $21,250 each for having adopted certified EHRs.
Besides Kentucky and Oklahoma, registration is available for the Medicaid EHR incentive program in Alaska, Iowa, Louisiana, Michigan, Mississippi, North Carolina, South Carolina, Tennessee and Texas.
In February, registration will open in California, Missouri, and North Dakota. Other states will likely launch their Medicaid EHR incentive programs during the spring and summer of 2011.
You can learn more about registration for Medicare incentives for eligible professionals by clicking here; and for Medicaid incentives for eligible professionals by clicking here. A similar CMS guide for both Medicare and Medicaid incentives for eligible hospitals can be found here.
The New York state Department of Health and a public-private partnership called New York eHealth Collaborative, or NYeC (pronounced "nice"), recently announced plans to spend $129 million in state and federal money to create a statewide network for electronic medical records, to be complete in 2014. Like the highways, they envision the network as a public utility that will allow medical providers anywhere in the state to view — with your permission — a list of your medications, any allergies and any recent X-rays or other tests that could help guide your care. The e-records network would be the largest in the country, dwarfing networks of other states and the Veterans Administration.
The planned statewide network, called Statewide Health Information Network for New York or SHIN-NY, is intended to serve more than 200 hospitals, thousands of medical practitioners and up to 20 million patients a year.
You can read more about NYeC here.
On December 8, 2010, President's Council of Advisors on Science and Technology (PCAST) issued its report on the importance of widespread adoption and use of health IT to improve healthcare delivery and reduce costs. The report concluded that:
information technology can help catalyze a number of important benefits including improved access to patient data, which can help clinicians as they diagnose and treat patients and patients themselves as they strive to take more control over their health; streamlined monitoring of public health patterns and trends; an enhanced ability to conduct clinical trials of new diagnostic methods and treatments; and the creation of new hightechnology markets and jobs. Health information technology can also help support a range of healthcare related economic reforms needed to address our Nation’s longterm fiscal challenges.
PCAST also recommended "nationwide adoption of a universal exchange language for healthcare information and a digital infrastructure for locating patient records while strictly ensuring patient privacy," and tasked CMS and ONC with developing guidelines "to spur adoption of such a language and to facilitate a transition from traditional electronic health records to the use of healthcare data tagged with privacy and security specifications."
You can view PCAST's press release here.
You can view PCAST report here.
The U.S. Government Accountability Office (GAO) released its report on integrated delivery systems (IDSs) in healthcare. The report found that electronic health record systems (EHRs) are able to improve patient care among such IDSs.
Some IDSs said that using EHRs supports their patient care strategies such as care coordination, disease management, and use of care protocols by increasing the availability of individual patient and patient population data and by improving communication among providers.
All 15 IDSs which took part in this study have implemented EHR systems. Mayo Clinic, one of the participants, reported that "the EHR helps avoid overutilization and duplication of services." Several other IDSs reported significant savings because of EHR use, including Marshfield Clinic in Wisconsin, which reported that its e-prescribing feature reduced "errors related to illegible handwriting and unintentional drug interactions." In addition, Marshfield's EHR requires physicians to consider appropriate "preferred alternatives" for prescription drugs, saving payers and patients $2.5 million in 1 year.
You can find the full report here.
"Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care, but Systems Face Challenges," U.S. Government Accountability Office, GAO-11-49 November 16, 2010.
A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals: on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.
The study also found that:
- Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.
- Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.
- 71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.
Will American healthcare providers, like major companies in other sectors of the economy, outsource their electronic medical records systems and maintenance offshore, especially to an established tech industry in India? According to the Wall Street Journal, Indian technology vendors face a significant amount of skepticism regarding outsourcing health IT to India.
While major tech companies routinely utilize data centers, service desk and other products and services in India, healthcare providers are not used to such outsourcing arrangements. Indian IT companies like HCL, InfoSys, and Wipro are trying to tap into the booming health IT market in the United States. However, they face a number of important challenges, including concerns over privacy, security and integrity of protected data, breadth of experience in the industry,and ease of implementation of such systems. One prominent CIO described this challenge succinctly in the Journal:
Designing and installing new medical systems 'is hard to do off site, let alone offshore,' says Darren Dworkin, chief information officer of Cedars-Sinai Medical Center in Los Angeles. Cedars-Sinai is close to finishing a four-year, $100-million project to install an electronic medical-records system. Mr. Dworkin says that 80% to 90% of the work isn't the sort of commodity coding that is easily outsourced, instead requiring an intimate knowledge of the hospital's terminology and how its doctors and nurses work.
You can read the full article by clicking here.
"Qualms Arise Over Outsourcing Of Electronic Medical Records," Wall Street Journal (November 2, 2010).
Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs. Via Government Health IT:
RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.
With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.
In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.
You can read the full column by clicking here.
The HITECH Act added over $27 billion to an industry whose publicly trading companies' market cap is below that, around $25 billion. Such dramatic expansion of the industry will likely lead to significant consolidation among HIT vendors. We have already seen a merger between Eclypsis and Allscripts this summer (which became final last month); and now Cerner, another leading HIT vendor, entered into a partnership with MedAssets, Inc., a company that has specialized Internet-based financial improvement systems. Via the Journal:
As that funding makes its way to health-care IT companies, it's likely to necessitate a lot more consolidation in an industry that's currently very fragmented. For instance, hospitals are not only looking to reduce the
number of different IT systems they use in-house, they also want more seamless ways of connecting to doctors' offices and insurers.
"We're at the beginning of the single fastest transformation of any industry in U.S. history," said Glen Tullman, chief executive of the health-care IT company Allscripts Healthcare Solutions Inc. (MDRX). <...> Tullman said he expects a lot more deals to come in the industry. He said that some of that consolidation will likely take place among the companies that provide IT systems to hospitals, a list that
includes Allscripts, privately held Epic Systems Corp., General Electric Co. (GE), Cerner, Germany-based Siemens AG (SI), McKesson Corp. (MCK) and privately held Medical Information Technology Inc., commonly known as Meditech. Tullman declined to comment on what companies he expects to make deals.
You can read more at the Wall Street Journal web site here.
"Health-Care IT Sector Shaking Up As Medical World Goes Digital," Wall Street Journal (October 15, 2010).
On October 1, 2010, CCHIT announced certifications of 19 "complete" EHR products, including, for example, Epic products for both hospitals and eligible professionals, and Allscripts and GE Centricity products for eligible professionals.
CCHIT also certified 14 "module" EHR products, from vendors which applied for certification of their products as complete EHRs "but testing could not be completed on a small number of criteria (such as electronic prescribing) because planned updates to the test procedures by NIST were not available at the time of testing." Such "EHR Module" certified products may seek certification as a complete EHRs in the near future. Via Healthcare IT News:
The Certification Commission for Health Information Technology announced Oct. 1 that it has tested and certified 33 Electronic Health Record products under the ONC-ATCB program.
CCHIT is one of three Approved Testing and Certification Bodies, designated by the Office of the National Coordinator (ONC). The other two are the Drummond Group and InfoGard Laboratories, Inc.
The ATCBs certify that the EHRs are capable of meeting the 2011/2012 criteria supporting Stage 1 meaningful use. Certification is required to qualify eligible providers and hospitals for funding under the American Recovery and Reinvestment Act (ARRA).
The CCHIT certifications include 19 Complete EHRs, which meet all of the 2011/2012 criteria for either eligible provider or hospital technology, and 14 EHR Modules, which meet one or more – but not all – of the criteria.
"CCHIT announces 33 certifications," Healthcare IT News (October 1, 2010).
On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with Kroll Fraud Solutions, will present a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick will highlight the key provisions in the NPRM, including:
- New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
- Providing patients with e-copies of their PHI
- Extension of HIPAA Privacy and Security Rules to business associates
- Effect of new rules on business associate agreements
In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, who will discuss the practical implications of this new set of regulations on covered entities and business associates, including:
- Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
- Reviewing current contractual agreements and relationships with business associates and their subcontractors
- Training staff of the organization
- Breach preparedness and breach response
You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the webinar: register now. After registering, you will receive log-in information for this webinar by
For more information, contact Vadim Schick at firstname.lastname@example.org or 202-661-6945.
According to Karen Bell, MD, chair of the Certification Commission on Health Information Technology (CCHIT), her organization will begin accepting applications for HHS certification as early as September 20, 2010. Via Healthcare IT News:
CCHIT is authorized to offer HHS certification for complete EHRs that meet all of the Stage 1, 2011/2012 HHS/ONC criteria, as well as certification for modular EHR products that meet one or more - but not all - of the criteria, Bell said.
According to Bell, CCHIT plans to launch its authorized HHS certification program on Sept. 20 at 1 p.m. Eastern time with a Town Call Webcast describing its application and testing process. CCHIT will take new health IT developer applications immediately after the Webcast and the first group of HHS certified complete EHRs and EHR modules will be announced within weeks of that launch.
In addition to HHS certification, CCHIT will continue to offer its CCHIT Certified program for ambulatory and inpatient EHR products that exceed the HHS/ONC criteria and are designed for hospitals and physician practices that are looking for assurance of more robust, integrated EHR products to support the unique needs of its clinicians and patients. Many of these products will also be HHS certified, Bell said.
You can read more about CCHIT's plans here.Continue Reading...
Via HHS Press Release:
The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.
Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.
“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”
Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT vendors. In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:
"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."
You can read more after the jump, or by clicking here.
On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges. Via Bloomberg Business Week:
The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.
<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.
eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a "cloud." Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations. However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:
- Access: who has access to your information (including your patients' protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider's records, and only in accordance with the scope of the agreement between the parties.
- Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, "GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down - giving records holders 30 days' notice to reclaim their data or lose it. This caused a great number of problems." While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider's data in its possession in the format specified by the provider.
- Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: "Allscripts' MyWay service costs $700 per month per health care provider. GE Healthcare's new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive."
In efforts to help the nation's health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see "NIST, Partners Develop Testing Infrastructure for Health IT Systems," NIST Tech Beat for March 16, 2010, at http://www.nist.gov/itl/hit_031610.cfm), the approved and finalized testing procedures are now available for use.
Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor's offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to "meaningful use," performing specifically defined functions.
These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.
The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.
Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see http://healthcare.nist.gov/use_testing/finalized_requirements.html and http://healthit.hhs.gov/certification
CMS launched a very useful Web site, http://www.cms.gov/EHRIncentiveprograms, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act. The site provides up-to-date, detailed information and many important links and "fact sheets" about the incentive programs, including overviews of CMS's final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.
It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009.
During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010. However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:
HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
HHS's withdrawal remains a bit of mystery. However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.Continue Reading...
The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe.
Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public. Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed. Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).Continue Reading...
We dedicate much of our time to the implications of and regulations stemming out of the American Recovery and Reinvestment Act of 2009 (ARRA). However, this year's historic health reform legislation ("Affordable Care Act" or "ACA") also contains a number of significant provisions affecting the health IT industry. (We discussed ACA's health IT provisions in a recent guide to the health reform legislation crafted by the American Health Lawyers Association, which you can fine here.)
In particular, Section 1561 of the Affordable Care Act tasks the HIT Policy and Standards Committees (established last year pursuant to ARRA) to develop a set of standards which would facilitate enrollment in federal and state health and human services programs, including drafting "standards for electronic matching across state and federal data; retrieval and submission of electronic documentation for verification; reuse of eligibility information; capability for individuals to maintain eligibility information online; and notification of eligibility."
On July 19, 2010, the Enrollment workgroup of these advisory committees issued their recommendations with respect to minimum enrollment standards. Their recommendations will be the subject of a rule the agency must issue by September 30, 2010. The workgroup's recommendations include the use of web-based services, easing enrollment procedures for patients, and creating "business rules" (sets of policies and procedures aimed at promoting "the use of standard data elements and verification and help to deal with ambiguity of information and differences in data so program officers can make decisions about eligibility.")
"Health IT panel offers first enrollment standards details," Healthcare IT News (July 20, 2010).
On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records. According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:
- Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
- An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
- A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
- CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.
You can view the PDF of the final rule on Meaningful Use by clicking here.
You can learn more about it from the HHS press release by clicking here. Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.Continue Reading...
On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules." Via HHS Press Release:
The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.
You can view the NPRM by clicking here.
"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).
As required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians' Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act. Via Healthcare IT News:
Under the Physician Quality Reporting Initiative (PQRI), physicians who participate in Medicare can receive incentives for reporting various quality measures, a select number of which are aimed at those who want to report using EHRs.
Providers who become meaningful users of EHRs, as laid down by the American Recovery and Reinvestment Act (ARRA), will also be eligible for incentive payments. A final rule on that is expected soon.
CMS has requested public comment on how it should integrate the two programs, included within a proposed rule about changes in Medicare physician payments for 2011 CMS expects to publish the proposed rule July 13.
"In an effort to align PQRI with the EHR incentive program, we propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals," the proposed rule says.
Meaningful use measures that physicians could use for PQRI reporting through electronic health records include such things as blood pressure measurement for hypertension, body mass index screening and prevention care follow up, and drugs to be avoided in the elderly, according to CMS.
You can find a copy of the proposed rule here.
"CMS to two align quality reporting programs," Healthcare IT News (June 29, 2010).
On June 18, 2010, the Office of National Coordinator for Health IT issued a final rule, 45 CFR Part 170, establishing a temporary EHR certification program for the purposes of testing and certifying health information technology.
The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR
Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid EHR Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.
You can find the new final rule here.
You can find ONC's "Fact Sheet" and Q&A regarding certification here.
The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010. Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year. We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:
- On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.” Information lost included not only PHI, but also Social Security numbers and even credit card data. The records on the laptop were password protected, but they were not encrypted. The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge. The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information.
- Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees. On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009. Violations were significant, but, considering the fine, far from gruesome.
Please click here to read more.Continue Reading...
Via Health Leaders Media:
OCR will release proposed rules later this month [or 'about two weeks or around June 26th'] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).
<...> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding "willful neglect" (penalty tiers).
Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.
The state alliance also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.
OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.
"Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the "Quiz the Regulator" session on June 7.
"State Alliance: Proposed HITECH Regulations Coming in Two Weeks," Health Leaders Media (June 15, 2010).
On June 7, 2010, Maryland's Lt. Governor Anthony Brown announced that the Office of National Coordinator for Health IT approved Maryland's State Health IT plan, allowing the state to move forward to implement a functional health information exchange (HIE). According to the Washington Business Journal, ONC will release $25 million in ARRA funds to Maryland, to be used in connection with the state's HIE:
Proponents of the exchange say it will cut costs and improve health care quality by streamlining the transfer of electronic health data between hospitals, physicians and patients.
The Chesapeake Regional Information System for our Patients, the nonprofit tasked with implementing the exchange, has already begun work with $10 million in state money. The federal approval leaves the plan's funding "fully unrestricted," said CRISP Program Director Scott Afzal, allowing them to broaden the goals of the exchange and engage more hospitals. Much of their work lies in finding health care providers to sign on to the exchange when there is no state or federal legal requirement to do so, according to Afzal.
'We have to show a value proposition to connect,' he said.
The project is estimated to cost roughly $20 million, although it will be scoped to available funding.
Allscripts and Eclipsys announced a $1.3 billion merger, which some analysts tout as a match "made in heaven" due to Allscripts's strength in the ambulatory space and Eclipsys's strength on the acute side. The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees. The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues. However, analysts believe that Allscripts's smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.
Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA. According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019.
This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.
"Allscripts-Eclipsys: 'A match made in heaven' - mostly," Healthcare IT News (June 10, 2010).
A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act. The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much.
Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):
- 27 percent of the health care organizations had not started and were “barely aware” of what was required;
- 32 percent of the organizations were waiting for more details;
- 14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
- 21 percent of the organizations surveyed were just beginning to act on becoming compliant;
- 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
- 57 percent reported having known deficiencies for privacy or security.
You can find the full survey here.
"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).
Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations. FTC is to begin enforcement of the Rule on June 1, 2010. Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA. According to Health Data Management:
'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'
The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.
<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'
According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules.
On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.
While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.
We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.
"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).
Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.
On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA. According to NBC Los Angeles:
Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.
In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.
"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).
- HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).
- Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."
On April 13, 2010, the Wall Street Journal published two fascinating articles on health information technology issues. In "Can Technology Cure Health Health Care?" author Jacob Goldstein examined the complexities and major risks of adopting electronic medical records. Goldstein also suggested a few high-level policies necessary to combat such risks, including designing the software with patient care in mind (rather than focusing on billing and other administrative tasks); customizing the software to fit the unique needs of one's organization; and taking the time to implement the EMR in a carefully crafted, staged manner.
The last recommendation seems to be indeed crucial to a successful EMR implementation, but it will likely put many healthcare providers trying to capitalize on HITECH incentive payments in a peculiar situation. Such providers must carefully balance their need to achieve "meaningful use" in a short time frame, while preventing as many disruptions to patient care as possible.
In "Breaking Down the Barriers," Laura Landro examined the state of regional health organizations (RHIOs) and health information exchanges (HIEs). While RHIO/HIE's are still rare, the number of such electronic patient data exchanges grows every day. In fact, according to the Journal, the number of RHIO/HIE's increased by 57% since last year. Such exchanges are also likely to benefit from HITECH Act funding distributed by HHS.
There is an interesting nexus between these two articles: interoperability and exchange. A successful widespread adoption of EMR technology seems to depend upon different EMRs talking to each other, and different - including competing - healthcare providers exchanging patient information. While EMRs may only marginally improve patient care in each individual hospital, they are likely to have a far greater impact as part of a nationwide health information exchange.
"Can Technology Cure Health Care?" Wall Street Journal (April 13, 2010).
"Breaking Down the Barriers," Wall Street Journal (April 13, 2010).
In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program. While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market. Via Healthcare IT News:
We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations," CHIME wrote. "The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.
CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.Continue Reading...
In the news: Senators request easing of meaningful use requirements; HHS releases over $267M for RECs; and more
- A group of 37 U.S. Senators sent a letter to HHS Secretary Kathleen Sebelius expressing concern regarding the current definition of meaningful use. The senators urged the Secretary to "allow providers to 'temporarily defer a limited set of IT goals' without otherwise changing the ultimate timeline or requirements of the program." The senators also sought to change the eligibility determination based on Medicare provider numbers, considering many healthcare providers have multiple medical campuses under one such Medicare number. According to Sen. Max Baucus (D-MT), such changes would "improve the guidelines HHS has set in way that will encourage widespread use of basic, functional IT tools and improve patient care.”
- HHS released over $267 million from the stimulus funds to help 28 non-profit Regional Extension Centers (RECs). This latest award brought the total of stimulus-funded RECs to 60, and is expected to support 100,000 primary care and hospitals within 2 years. According to Secretary Sebelius, these 28 awards "represent [HHS's] ongoing commitment to make sure that health providers have the necessary support within their communities to maximize the use of health IT to improve the care they provide to their patients."
The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange. The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making." While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.
- Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident. This is twice as many cases as in 2008. Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to Computerworld.com (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
- In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act. According to American Medical News:
Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.
'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.
Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.
The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:
- Warranty, limitation of liability and privacy and security provisions in HIT contracts
- Structuring payments to correspond with certain achievement milestones
- Acceptance testing procedures
- Provisions specific to vendor-financing transactions
- ASP / SaaS models of software licensing
If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.
This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.
In a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others. Via OCR press release:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.
However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.
You can find about more here.
"HITECH Act Rulemaking and Implementation Update," OCR Press Release (March 18, 2010).
As if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:
Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.
“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.
“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.
On Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.
This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:
- Warranty, limitation of liability and privacy and security provisions in HIT contracts
- Structuring payments to correspond with certain achievement milestones
- Acceptance testing procedures
- Provisions specific to vendor-financing transactions
- ASP / SaaS models of software licensing
You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.
This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.
ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs. Via ONC Press Release:
Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.
Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.
As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.
The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.
By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial "harm threshold" to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.Continue Reading...
Here are the slides from our February 25, 2010 Webinar on Meaningful Use. This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. Steve and I discussed:
- Key policy goals and objectives behind meaningful use
- Measures required to achieve meaningful use
- Structure of incentive payments under Medicare and Medicaid
- Eligibility requirements for professionals and hospitals
Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.
For more information, please contact me at email@example.com or 202-661-6945.
Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information. As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.
However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized. OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.
Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week. We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.
"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).
"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).
On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. We will discuss:
- Key policy goals and objectives behind meaningful use
- Measures required to achieve meaningful use
- Structure of incentive payments under Medicare and Medicaid
- Eligibility requirements for professionals and hospitals
You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.
Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.
For more information, please contact me at firstname.lastname@example.org or 202-661-6945.
Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.
In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.
Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law. She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.Continue Reading...
According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006. The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.
Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.
Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.
Of course, certain obstacles remain. Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information. Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients. And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.Continue Reading...
HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.
Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs). HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.
Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.
The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.Continue Reading...
Following up on his letter to health IT companies last fall, Senator Chuck Grassley (R-IA) sent a letter to 31 hospitals in the United States to inquire about each hospital's experience with purchasing and implementing health information technology. According to Healthcare IT News:
Grassley cites reports he’s heard about “difficulties and challenges associated with HIT implementation,” including “administrative complications,” “formatting and usability issues,” “computer errors stemming from the programs themselves,” and problems with “interoperability between programs.”
More specifically, he raises concerns that “when [providers] report such problems to their facilities and/or the product vendors, their concerns are sometimes ignored or dismissed.” Often, he writes, “this is attributed to alleged ‘gag orders’ or non-disclosure clauses in the HIT contract that prohibit health care providers and their facilities from sharing information outside of their facilities regarding product defects and other HIT product-related concerns."
You can find more about Sen. Grassley's letter to hospitals in his office's press release, which includes the full text of the letter.Continue Reading...
There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:
- Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat: "the last quarter of  saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months." According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
- Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches." The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.
Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology. This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use" incentive payments or reimbursements under the HITECH Act.
While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.
Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options. A complimentary PDF copy of the article is available here.
- According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed. This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.
- Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions: "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs." According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:
They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."
Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.Continue Reading...
CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology. You can find the full text here.*
HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs. You can find this interim rule here.*
Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.
The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.
Join today’s call; details are listed below:
--David Blumenthal, MD, MPP, national coordinator for health information technology
--Jonathan Blum, director, Center for Medicare Management
--Cindy Mann, director, Center for Medicaid and State Operations
Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH
Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at http://bit.ly/5IdkDe . HIMSS will be posting a statement tomorrow.
On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.
On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...> Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."
According to Fierce Healthcare:
To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>
By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.
Via Healthcare IT News:
The Certification Commission for Health Information Technology has certified 14 electronic health record products that pass muster for provider use under the American Recovery and Reinvestment Act of 2009 (ARRA).
"We believe it will be a challenge for providers who have not yet begun to evaluate products to purchase and implement EHR technology and achieve meaningful use in time for the 2011-2012 incentives," said Alisa Ray, the CCHIT's executive director. "We have received more than 30 applications for our 2011 certification programs – more than half of which are for the comprehensive program – and are announcing new certifications regularly so providers can begin to consider EHR technology that demonstrates compliance with the proposed federal standards."
According to Ray, the Preliminary ARRA 2011 program is a modular, limited certification and inspects technology only against the federal standards. It offers flexibility for health IT companies, developers and providers in meeting ARRA 2011-2012 certification requirements.
The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee. According to Government Health IT:
The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.
Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.
The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns. There is also a privacy and security workgroup under the HIT Standards Committee.Continue Reading...
In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way. Otherwise, many providers could fail to qualify for the HITECH Act's incentives. The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.
- A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information. According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."
The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.
The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.
In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.
Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.
The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:
'There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.'
"Little Benefit Seen, So Far, in Electronic Patient Records," New York Times (November 16, 2009).
Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act.
The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:
Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.
Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As reported in Healthcare IT News:
Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.
A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.
Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.
The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.
You can find the full text of the rule is here.
"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).
According to the Wall Street Journal's Health Blog:
In letters sent earlier this month to 10 companies, [Senator Chuck] Grassley says that he’s “received complaints” about systems that allow doctors to enter medical orders by computer. (Here’s a copy of the letter.) This is a big deal these days because the stimulus bill provides billions of dollars in federal incentives to encourage doctors and hospitals to start using these sorts of systems.
Grassley asks the companies to send him copies of “complaints and/or concerns” that health-care providers have expressed about the systems. He wants to know whether the companies typically include legal provisions in their contracts that “shift responsibility for errors in the … systems to physicians, nurses, pharmacists, and other health care providers.”
And he cites reports that contracts sometimes “include ‘gag orders,’ which prohibit health care providers from disclosing system flaws and software defects.” He asks the companies how many settlement agreements they’ve executed in the last 18 months.
So far, representatives of Cerner, McKesson and Allscripts indicated that they plan to cooperate with Sen. Grassley's request.
You can find more information on Grassley's letters via the Washington Post, here.
You can see a copy of Grassley's letter to 3M here.
"Chuck Grassley Has a Few Questions for the Health IT Industry," Health Blog (October 26, 2009).
"Electronic medical records not seen as a cure-all," Washington Post (October 25, 2009).
David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).
Here are some highlights from the interview:
On current state of health IT in the US:
We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.
On reimbursement penalties for those failing to achieve meaningful use by 2015:
From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.
Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide. Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."
Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.
Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare. AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.
Much more news after the jump.
According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS. In fact,
Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].
The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.
Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year. There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.
However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license. "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential. Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.Continue Reading...
The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records. Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA.
North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals." However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data.
North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes. A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning. The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data. Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.Continue Reading...
HHS Secretary Kathleen Sebelius announced almost $28 million in grants for more than twenty health centers to implement or improve their electronic health records technology. This funding is allotted from the $2 billion set aside for Health Resources and Services Administration (HRSA) health centers in the ARRA. HRSA health centers provide medical services for the uninsured and low-income individuals.
According to the HHS press release:
Eighteen grants totaling more than $22.6 million will support EHR implementation. Grants totaling more than $2.6 million will help four grantees implement a variety of HIT innovations, including the creation of health information exchanges among different providers and the incorporation of HIT at dental delivery sites. Another five grants totaling over $2.5 million will help health centers devise plans to use existing EHRs to improve patient health outcomes.
HRSA received $2 billion through the Recovery Act to expand health care services to low-income and uninsured individuals through its health center program. To date, more than $1.3 billion of these funds have been awarded to community-based organizations across the country. HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance.
You can find the full list of recipients here.
"Secretary Sebelius Releases $27.8 Million in Recovery Act Funds to Expand the Use of Health Information Technology," HHS Press Release (September 29, 2009).
"HHS releases $28M in ARRA funding to accelerate health IT," Healthcare IT News (September 30, 2009).
The last few weeks saw a tremendous amount of activity in the health IT market. Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States.
Dell is quickly establishing itself as a major player in health IT. In April 2009, Dell aligned itself with Wal-Mart and eClinical Works to supply hardware for Wal-Mart's new EHR system. Last month, Dell rolled out its own EHR system aimed at physicians affiliated with hospital practices, with Tufts Medical Center and Memorial Hermann Health Care System among the early adopters.
Even more significantly, on September 21, 2009, Dell announced its plans to acquire the health IT vendor Perot Systems Corp. for $3.9 billion. Perot is a major player in the healthcare industry: about half of Perot's $2.8 billion in annual revenue comes from the healthcare market; and as much as half of the hospitals that outsource their IT are Perot clients. Perot runs over 3,000 healthcare applications for its clients, though the company does not have a preferred provider arrangement with a specific application vendor.
On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act. Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.
The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology." Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.” The endorsed privacy and security standards will become more rigorous in 2013 and 2015.
You can find the spreadsheet of endorsed privacy and security standards here.
You can also view the presentation from the Workgroup here.
"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).
While the ONCHIT Advisory Committees continue to work on defining "meaningful use," the Certification Commission for Health Information Technology (CCHIT) plans to launch a new certification program for electronic health records systems based on the new requirements for such systems to qualify for incentive payments under the American Recovery and Reinvestment Act of 2009 (ARRA).
On October 7, 2009, CCHIT will "offer a modular certification program called Preliminary ARRA 2011 that is limited to the standards for qualifying EHR technology under the American Recovery and Reinvestment Act (ARRA)."
More from the CCHIT press release:
The Commission has followed and analyzed the emerging recommendations of the health information technology advisory committees to the Office of the National Coordinator (ONC), and believes there is sufficient information to offer the preliminary ARRA certification now.
HHS criteria and standards are expected to be published by the end of 2009. Final rules on Meaningful Use are expected later in the Spring of 2010. If that process results in the introduction of new requirements, the Commission will offer vendors with preliminary certifications an incremental inspection at no additional fee to bring their certifications into alignment with the final rules. The Commission’s certification materials including criteria, test scripts and certification policies for both programs will be published at http://cchit.org on September 24. Applications for certification will open online on October 7.
"Certification Commission Launching 2011 Certification Programs In October," CCHIT press release (September 8, 2009).
"Federal committees to continue work on meaningful use," Healthcare IT News (September 11, 2009).
Via HHS e-mail update:
The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the availability of materials that are of immediate interest and use to stakeholders and potential applicants for the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, and that are new or updated since the August 27, 2009 technical assistance telephone and web conference.
REVISED – Preliminary Application Template (Attachment I to the Funding Opportunity Announcement): As discussed on the August 27th technical assistance public conference, the suggested template for applicants’ use in compiling and presenting the information required for the Preliminary Application has been updated to include the complete requirements established in the funding opportunity announcement and is now available from www.grants.gov and the Extension Program section of ONC’s website at http://healthit.hhs.gov/extensionprogram.
NEW – A complete transcript of the August 27th technical assistance conference is available for download from the Extension Program section of ONC’s website. Please visit http://healthit.hhs.gov/extensionprogram to access detailed information about the conference, including the transcript and the presentation slides used during the call.
NEW/REVISED – Program-specific Frequently Asked Questions (FAQs) are now available on the Extension Program section of ONC’s website. New FAQs are posted frequently, so potential applicants and other interested parties are encouraged to visit often. Please visit http://healthit.hhs.gov/extensionprogram then scroll down and click on “Frequently Asked Questions”.
"Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program Update," HHS e-mail update (September 3, 2009).
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.
According to the HHS press release:
The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
You can find the text of the regulation here.
Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.Continue Reading...
Via Government Health IT:
The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.
Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.
Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.
Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.
"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).
Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:
The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.
You can find the full text of the rule here.
"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).
The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization. Some of the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP.
According to the Baltimore Business Journal:
Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.
The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.
State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.
"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).
The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.
The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes. While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:
The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law. <...>
IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.
HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS. Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule. Effective immediately, OCR is responsible for administering both Security Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.
According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected." This transfer of authority is not meant to create any disruption of current procedures. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights.
You can find the Federal Register notice here.
"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).
eHealth Initiative, an affiliation of organizations devoted to improving the quality, safety and efficiency of healthcare through information technology, released its 2009 survey on Health Information Exchange (HIE), titled "Migrating Toward Meaningful Use: The State of Health Information Exchange."
The survey found many positive trends in the expansion of HIE's in the United States, including:
- the number of operational HIE initiatives (e.g., exchanges transmitting live data among stakeholders) has increased by nearly 40% since 2008;
- positive impact on physician practices by improving efficiency without disrupting care (e.g., quicker access to test results, reduced staff time spent searching for results and performing other administrative functions);
- reduction in costs associated with, inter alia, reduced staff time spent on searching for test results and performing other clerical functions, as well as reduction in duplicate tests and medical errors; and
- steadily growing number of initiatives are exchanging data, with almost universal increases in the type of data exchanged.
The survey also found that "initiatives identified 'addressing privacy and confidentiality issues' as the most pressing challenge they face, surpassing 'developing a sustainable business model'."
eHealth Initiative's press release, which includes a more detailed summary of the survey, can be found here.
"Migrating Toward Meaningful Use: The State of Health Information Exchange," eHealth Initiative Study (July 22, 2009).
By 2011, at least 10 percent of all orders processed in a hospital must be entered through CPOE to qualify that institution for CMS incentives under the HITECH Act, according to a proposed matrix of meaningful use released today by ONC’s HIT Policy Committee.
Other 2011 hospital requirement are:
- implementation of drug-drug, drug-allergy, and drug-formulary checks
- maintenance of up-to-date problem lists of current and active diagnoses based on ICD-9 or SNOMED
- incorporation of lab-test results into EHR as structured data
- reporting of hospital quality measures to CMS
- implementation of one clinical decision rule related to a high-priority hospital condition
- providing of patients with an e-copy of their health information
- capability to exchange key clinical information (eg. discharge summary, procedures, problem lists, medication lists, allergies, test results) among providers of care
In another major development, the committee recommended that incentives be paid according to an ‘adoption year’ timeframe rather than a calendar year timeframe. “Under this scenario, qualifying for the first-year incentive payment would be assessed using the 2011 Measures. The payment rate and phaseout of payments would follow the calendar dates in the statute, but qualifying for incentives would use the ‘adoption-year’ approach,” the committee stated.
Here is the link to the matrix.
Stay tuned for more on meaningful use definition.
On June 16, 2009, the Workgroup on Meaningful Use presented its findings to the HIT Policy Committee. The findings include two parts: the preamble and the matrix. The matrix consists of goals to be achieved by 2011, 2013, and 2015, and the metrics for such goals to evaluate hospital and clinician progress in meeting them.
We will have much more analysis on this preliminary definition later, so stay tuned for our updates. Meanwhile, our favorite "geek doctor" John Halamka stated the following on his blog:
Now that the initial definition of meaningful use is available, the HIT Standards Committee workgroups and HITSP will work through the month of July to ensure the matrix is populated with the most up to date standards and implementation guide detail.
Hospitals and Clinician offices now know what is expected for 2011, so the time is now to begin your software implementations.
"Meaningful Use has Arrived", Life as a Healthcare CIO (June 16, 2009).
Healthcare IT News reports that a new study projects that the market for electronic health records related equipment and software will reach $1.6 billion in 2013, which is almost three times more than last year's value. EHR market was estimated at $575 million in 2008. ARRA is, of course, the main reason for such a steady rise in market value:
Driven by the growing use of EMRs in hospitals and physician offices, this segment of the patient monitoring market will grow 23.3 percent annually through 2013, notes the report, "High-Tech Patient Monitoring Systems Markets (Remote and Wireless Systems, Data Processing, EMR Data Transfer)."
Increased use of EMRs and high-tech patient monitoring systems is a key piece of President Barack Obama's plan to fix the ailing healthcare system, the report notes, because they have the potential to improve patient outcomes and satisfaction, provide cost savings and more efficient use of healthcare resources and reduce hospitalizations.
Full article here.
"Market for EMRs pegged at $1.6 billion by 2013", Healthcare IT News (June 4, 2009).
The National Committee on Vital and Health Statistics (NCVHS) held a public meeting on April 28-29, 2009 in Washington, DC to help define and clarify the term “meaningful use” with respect to such term's use under the HITECH Act.
NCVHS provided a summary report of "the themes elaborated upon by the over 100 stakeholders who provided oral and written testimony" during the hearing. The report is merely a digest of testimony, and does not include commentary or recommendations from NCVHS.
You can find the full report here.
On May 15, 2009, the U.S. Department of Health and Human Services (HHS) released Recovery Act implementation plans:
HHS is moving quickly and carefully to award Recovery Act funds in an open and transparent manner that will achieve the objectives of each ARRA program. Implementation plans provide detailed information regarding the goals, funding, contracts competition, contract type, and accountability mechanisms.
HHS and the Office of National Coordinator for Health IT (ONC) released two such implementation plans aimed specifically at accelerating the adoption of health information technology pursuant to the HITECH Act: the Recovery Act Implementation Plan for Medicare and Medicaid incentives, and the accompanying Implementation Plan from the ONC.
The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort. According to the Post:
[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.
You can read the whole article here.
Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly magazine for health information management professionals, regarding the incentives and challenges of EHR adoption. On incentives included in the HITECH Act, Steve argued that:
“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”
Steve also identified interoperability as a crucial goal for EHR systems:
“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”
You can read the full article here.
- The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009. According to the FTC press release, aside from breach notification, the proposed rule also:
stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.
The full notice can be found here.
- Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009. The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors. Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR. It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA. ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)
Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:
Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.
The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.
The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.
("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)
In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009:
“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA. Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.
Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.
“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.
This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.
On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).
This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.
The Guidance can be viewed (in PDF) here.
Our own Steve Fox and HIMSS President H. Stephen Lieber were interviewed by Deirdre Kennedy of iHealthBeat, a daily news service from the California Healthcare Foundation, in an iHealthBeat Special Report about ARRA's impact on the healthcare industry and other hot topics discussed at this year's HIMSS conference in Chicago. You can listen to this audio report here.
Post & Schell is presenting a webinar featuring Vadim Schick and Peter Hardy, who will discuss the practical and legal issues created by the new and upcoming changes in the data privacy protection regime. Topics will include:
- The Identity Theft Prevention Programs required by the Red Flags Rule
- New data breach requirements imposed by HIPAA
- Pending federal data privacy legislation that mirrors existing state laws
- What steps to take now to be prepared
- Why preparing now will save you money and grief later
You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the GoToWebinar presentation: register now. After registering, you will receive log-in information for the April 7th webinar by e-mail.
Also, some of the issues discussed above, including compliance with the Red Flag Rules and HIPAA Privacy and Security Rules, are discussed in a new article by Peter and Vadim, "Preventing Data Breaches: HIPAA Compliance and the Red Flag Rules," published in the April 2009 edition of Compliance Today, and accessible via this link.
Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors.
For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.
Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV
Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.
A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology. In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually. Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."
However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology. In part, Drs. Halamka, Bates and Middleton claim that:
The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.
Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.
In Part I and Part II of the interview, Steve and Ed discuss the incentives for hospitals and physician practices included in the HITECH Act; new regulations to be promulgated by HHS Secretary under this Act; and what actions hospitals and physician practices should be considering at this time in order to qualify for the incentive payments under the Act.
Part III is coming soon, and we will update this