HHS extends Stage 2 Meaningful Use deadline to 2014
HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:
Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.
HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.
Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.
We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.
"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).
On October 20, 2011, CMS published the final rule on Accountable Care Organizations (ACOs) or, as it is formally known, the Medicare Shared Savings Program (the "Program"), enacted as part of the Patient Protection and Affordable Care Act (ACA) of 2010. According to CMS chief Don Berwick, MD, the Program represents an "opportunity to coordinate care among providers," which could "greatly improve the quality of care Medicare beneficiaries receive," and produce substantial savings for the federal government. The Program creates incentives for providers to collaborate in treating an individual patient across care settings, in order to receive a portion of the savings generated from providing such care. 
HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems. 
A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."
On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a .gif){kind=logo}
On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP). 
The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).
On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via 
HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.
Earlier today, HHS has released the highly anticipated proposed rule on Accountable Care Organizations (ACOs). The rules will guide healthcare providers in setting up exchanges of healthcare data to improve care and reduce costs, as mandated under the Patient Protection and Accountable Care Act of 2010.
CMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.
As we 
Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation. This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.
Dr. David Blumenthal, the head of the Office of the National Coordinator for Health IT (ONC), announced yesterday in a letter to his staff that he's leaving the ONC and returning to his position at Harvard University. 
On the heels of 
On December 8, 2010, 
In a highly anticipated move, on December 1, 2010, the Federal Trade Commission (FTC) released its report and recommendations regarding protecting personal information gathered online. The FTC recommended moving away from self-regulation by the industry towards a more European, “privacy-by-design” approach, which offers a much greater degree of protection to individuals, including by requiring businesses collecting data online to build privacy protections into their everyday business practices and retain data on consumer preferences and online browsing activity only as long as needed and deleting data on a regular basis. 
The U.S. Government Accountability Office (GAO) released its report on integrated delivery systems (IDSs) in healthcare. The report found that electronic health record systems (EHRs) are able to improve patient care among such IDSs.
A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals: on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.
Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs. Via 
According to a new study by the Center for Studying Health System Change, less than 7% of U.S. physicians communicate with their patients via e-mail. According to the 
The Chesapeake Regional Information System for our Patients (CRISP) went live this month connecting three hospitals, three radiology centers and two private companies in Montgomery County, Maryland during the initial stage of this health data exchange. According to The Washington Post, all 48 hospitals in Maryland plan to join CRISP by 2012. The exchange will allow hospitals, physician practices, hospitals, clinics, labs, radiology centers, and other health care institutions to share information electronically.
Post & Schell, in collaboration with 
In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:
On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with 
As we mentioned .gif){kind=logo}
Via 
Our own Steve Fox was interviewed by 
On August 19, 2010, the "tiger team" advisory panel 
eWeek 
Via 
CMS launched a very useful 
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 
The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a 
In November of 2009, health insurance provider HealthNet 
As required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians' Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act. Via 
Breaches are not always caused by lost laptops or hackers. They often result from simple errors by the hospital's or another provder's own staff. In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County. Via 
Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA. According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019. 
Upon request from members of Congress, the Federal Trade Commission (FTC) has once 
Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations. FTC is to begin enforcement of the Rule on June 1, 2010. Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA. According to 
The Wall Street Journal devoted the front page of its "Marketplace" section to a .gif){kind=logo}
According to 
Back in January, we .gif){kind=logo}
HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to 
Courtesy of the 
On April 13, 2010, the Wall Street Journal published two fascinating articles on health information technology issues. In "
In a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC's recent notice of proposed rulemaking (NPRM) regarding the EHR certification program. While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO's are worried about any destabilizing effects such rule may have on the health IT market. Via .gif){kind=logo}
A group of 37 U.S. Senators sent a .gif){kind=logo}
The Office of National Coordinator for Health IT (ONC) 
On March 24, 2010, the U.S. Drug Enforcement Administration (DEA) released its _1269459243447.jpeg){kind=tracking}
Javelin Strategy & Research survey .gif){kind=logo}
As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, .gif){kind=logo}
Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities 
Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.
According to .gif){kind=logo}
HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.
Following up on his .jpg)
There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:.gif){kind=logo}
CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology. You can find the full text .gif){kind=logo}
Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.
On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.
ancing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...> Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies.".gif){kind=logo}
The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee. According to 
The new science of personalized medicine, a new .gif){kind=logo}
Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As 
In a remarkable 400-0 vote, the U.S. House of Representatives exempted dentists from the requirements of FTC's Red Flags Rule. The measure garnered rare, unambiguously bi-partisan support in Congress:
Major losses or breaches of personal information are not just for patients anymore: The Chicago Tribune reports that the Blue Cross Blue Shield Association lost sensitive personal information, including, in some cases, social security numbers, of about 800,000 physicians -- nearly all the doctors in the United States. As expected, this data loss came from a stolen laptop. According to the Tribune:
Dr. David Blumenthal, the National Coordinator for Health IT, gave an 
According to .gif){kind=logo}
The last few weeks saw a tremendous amount of activity in the health IT market. Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States..gif){kind=logo}
On September 15, 2009, the HIT Standards Committee .gif){kind=logo}
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 
According to a study by UnitedHealth Group, America's largest health insurer by market value, widespread adoption and use of HIT may save the healthcare industry and the U.S. government up to $332 billion over 10 years. According to .gif)
The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort. According to the Post:
Steve Fox was interviewed in this month's Cover Story "