Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

This week health care organizations were startled and not a little concerned to learn of the ONC's unprecedented action with regards to a California health software company.  The agency is decertifying electronic health records systems which initially met ONC requirements for certification. 

Via Modern Healthcare:

For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they're already using.

Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.

• Print
• Comments
• Trackbacks
• Share Link

The healthcare industry continues to face a greater deficit than ever in terms of qualified professionals to fill its ever-expanding information technology staffing needs.

Via Modern Healthcare:

Many U.S. healthcare companies – about 67% -- report that they’re struggling to attract experienced information technology workers, according to a survey.

That’s compared with 10% that said they have problems attracting all workers, according to the "Towers Watson 2013 Healthcare IT Survey" (PDF).  Meanwhile, 38% of healthcare companies reported problems with retaining experienced IT workers, compared with 8% reporting problems retaining all types of workers.

• Print
• Comments
• Trackbacks
• Share Link

The health IT industry's pitch to Congress, and to the public, was that health care would be transformed through digitization, and that the shift to electronic records would result in huge health care savings.  Four years after the passage of ARRA and the HITECH Act, which included $19 billion in EHR incentives, it remains to be seen whether the federal government and the American public will see such benefits as reduced costs and improved levels of health care. Meanwhile, the software industry appears to be the big winner.

For more, see the New York Times article by clicking here:  "A Digital Shift on Health Data Swells Profits in an Industry".

• Print
• Comments
• Trackbacks
• Share Link

Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith.  At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations.  He warned that he will impose more regulations if necessary.

See Healthcare IT News article at "Mostashari calls on vendors to play fair".

• Print
• Comments
• Trackbacks
• Share Link

The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.

Via Modern Healthcare:

The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.

Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.

• Print
• Comments
• Trackbacks
• Share Link

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

• Print
• Comments
• Trackbacks
• Share Link

The Centers for Medicare & Medicaid Services will postpone the start of HIPAA Transaction Rules compliance enforcement for 90 days, according to a recent announcement.

See CMS press release here. Via CMS website:

Today, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that to reduce the potential of significant disruption to the health care industry, it will not initiate enforcement action until March 31, 2013, with respect to HIPAA covered entities (including health plans, health care providers, and clearinghouses, as applicable) that are not in compliance with the operating rules adopted for the following transactions as required by the Affordable Care Act: eligibility for a health plan and health care claim status. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for using the operating rules remains January 1, 2013.

• Print
• Comments
• Trackbacks
• Share Link

In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

• Print
• Comments
• Trackbacks
• Share Link

The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.”   The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost  28,000 recipients.  The Inspector General’s office concluded that Medicare needs to improve its review process.

Link to report here.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS' inspector general's office.
 
The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, "Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program" (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general's office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general's office also is conducting "a series of audits of Medicare and Medicaid EHR incentive payments" to "verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.

• Print
• Comments
• Trackbacks
• Share Link

Hackers recently infiltrated South Carolina's state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency.  State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.
 
See New York Times article at "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere".
 

• Print
• Comments
• Trackbacks
• Share Link

Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure.  Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately.  Others, however, were negatively impacted, including some which lost access to their EHRs. 

It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization's data - including patient data - is readily available, and is never lost due to a storm or an earthquake.

Via Modern Healthcare:

Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.
 
The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.
 
One Manhattan hospital was forced to evacuate 300 patients hours after Sandy's landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.

• Print
• Comments
• Trackbacks
• Share Link

Medical device security experts report increasing issues with computer viruses on hospital medical devices.  Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems.  The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".
 

• Print
• Comments
• Trackbacks
• Share Link

The HHS Office of the National Coordinator for Health Information Technology is passing management of the Nationwide Health Information Network to a coalition of public and private health care organizations.

Via Modern Healthcare:

Following last month's announcement that "now is not the time" for formal regulation of a proposed network of health information exchanges, HHS' Office of the National Coordinator for Health Information Technology said it is transitioning control of that network—known as the Nationwide Health Information Network—to a public-private partnership known as the eHealth Exchange.

• Print
• Comments
• Trackbacks
• Share Link

Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people.  HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.

Via Modern Healthcare:

HHS' Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.
 
The agency's Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.

• Print
• Comments
• Trackbacks
• Share Link

According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.

Via Kaiser Health News:

Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.

When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.

• Print
• Comments
• Trackbacks
• Share Link

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.

• Print
• Comments
• Trackbacks
• Share Link

State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records.  A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.

Via Modern Healthcare:

Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.

Development of the electronic patient-consent management system came in response to the VA's and SAMHSA's own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.

• Print
• Comments
• Trackbacks
• Share Link

National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program.  According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.

Via Healthcare IT News:

WASHINGTON – There are no set appropriations for how much the federal government can spend on rewarding providers who adopt and use electronic health records under the Medicare and Medicaid meaningful use EHR incentive program, according to National Coordinator for Health IT Farzad Mostashari, MD.

"Whoever qualifies, gets paid; there's no hard cap," said Mostashari, who gave a keynote at the Annual Policy Summit for the Health Information Management and Systems Society (HIMSS) on Wednesday.

• Print
• Comments
• Trackbacks
• Share Link

According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.”  The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”. 

The study's report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can "significantly improve their organizations’ security posture and reduce risk":

• Print
• Comments
• Trackbacks
• Share Link

In preparation for the launching of ONC's permanent EHR system testing and certification program, part of the EHR incentive payment initiative, ONC has authorized five groups as permanent EHR certifiers.

Via Modern Healthcare:

Even though the new regime for testing and certifying electronic health-record systems under the federal EHR incentive program won't take effect until October—and testing against newly released criteria might not begin until year's end—federal authorities have given five organizations the OK to certify software for that program.

HHS' Office of the National Coordinator for Health Information Technology has authorized the Certification Commission for Health Information Technology, the Drummond Group, ICSA Labs, InfoGard Laboratories and Orion Register to serve as certification bodies under the EHR incentive payment program, according to ONC spokesman Peter Ashkenaz. The program was established by the American Recovery and Reinvestment Act.

• Print
• Comments
• Trackbacks
• Share Link

Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records.  Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.

This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a "hostage" situation like the one described below.

Via Bloomberg News:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.  

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

• Print
• Comments
• Trackbacks
• Share Link

Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR.  Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy.  The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised.  According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches. 

Via Modern Healthcare:

Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.

• Print
• Comments
• Trackbacks
• Share Link

Over half of U.S. doctors now use electronic medical records, and half of the remainder plan to start in the coming year, a new poll has found.

Via HealthDay:

TUESDAY, July 17 (HealthDay News) -- A majority of U.S. physicians have now adopted an electronic health record system as part of their routine practice, a new national survey reveals.

The finding is based on responses provided by nearly 3,200 doctors across the country who completed a mail-in survey in 2011. The survey was conducted by the U.S. Centers for Disease Control and Prevention's National Center for Health Statistics as part of an ongoing three-year effort (continuing through 2013) designed to assess perceptions and practices regarding electronic health record systems.

• Print
• Comments
• Trackbacks
• Share Link

Patients increased their preventive care significantly after being given access to their medical records online in a recent study.  These health care consumers’ use of preventive care measures such as cancer screenings, and immunizations, were higher than those of consumers without online access to their EMRs.

Via Reuters:

In a clinical trial at eight primary care practices, researchers found that patients who used such "interactive" health records were more likely to become up-to-date on recommended preventive care.

That included screening tests for breast, colon and cervical cancers, and immunizations like the yearly flu shot.

After 16 months, 25 percent of patients who used the online records were up-to-date on their preventive care - which was double the rate of non-users.

• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

• Print
• Comments
• Trackbacks
• Share Link

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

• Print
• Comments
• Trackbacks
• Share Link

• Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal.  IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records.  AP, San Francisco Chronicle (March 17, 2009).
• A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing).  This could result in a massive $22 billion reduction in drug and medical costs.  Government Health IT (March 17, 2009).
• Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry.  Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services.  According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology.   Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

• Print
• Comments
• Trackbacks
• Share Link

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

• a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
• a graduate school of nursing or physician assistant studies;
• a consortium of two or more schools described above; or
• an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

• Print
• Comments
• Trackbacks
• Share Link