Breaking: CMS issues final rule on Stage 2 of Meaningful Use

Centers for Medicare and Medicaid Services (CMS) released the final requirements for Stage 2 of Meaningful Use, which health care providers must meet in order to qualify for incentives during this stage of the program, and criteria that electronic health records must meet to achieve certification.

Via CMS press release:

The requirements announced today:

Make clear that stage two of the program will begin as early as 2014. No providers will be required to follow the Stage 2 requirements outlined today before 2014.
Outline the certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they use will work, help them meaningfully use health information technology, and qualify for incentive payments.
Modify the certification program to cut red tape and make the certification process more efficient.
Allow current “2011 Edition Certified EHR Technology” to be used until 2014.

The CMS final rule also provides a flexible reporting period for 2014 to give providers sufficient time to adopt or upgrade to the latest EHR technology certified for 2014.

You can find a fact sheet on CMS’s final rule on Stage 2 here and a detailed fact sheet on ONC’s standards and certification criteria here.

Posted in ARRA Tagged with: , , , , , , , , , , , ,

OCR: Health records of over 7 percent of U.S. population breached in past 3 years

Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR. Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy. The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised. According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches.

Via Modern Healthcare:

Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office’s website.

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , ,

Majority of health care providers have entered electronic age

Over half of U.S. doctors now use electronic medical records, and half of the remainder plan to start in the coming year, a new poll has found.

Via HealthDay:

TUESDAY, July 17 (HealthDay News) — A majority of U.S. physicians have now adopted an electronic health record system as part of their routine practice, a new national survey reveals.

The finding is based on responses provided by nearly 3,200 doctors across the country who completed a mail-in survey in 2011. The survey was conducted by the U.S. Centers for Disease Control and Prevention’s National Center for Health Statistics as part of an ongoing three-year effort (continuing through 2013) designed to assess perceptions and practices regarding electronic health record systems.

Specifically, the poll found that 55 percent of U.S. doctors have embraced some type of electronic health record system. And roughly 75 percent of those who have done so reported that the type of system they took on meets the criteria of playing a “meaningful” role in their practice, according to the terms of 2009 federal legislation (entitled the Health Information Technology for Economic and Clinical Health Act) designed to promote the use of electronic health records.

What’s more, 85 percent of those doctors who now have an electronic health record system in place said they are either “somewhat” or “very” satisfied with its day-to-day operations (47 percent and 38 percent, respectively). And three in four said patient care has improved as a result of electronic health record adoption.

The poll also indicated that among those who have yet to embrace an electronic health record system, almost half said they plan to do so in the coming year.

Physician age seems to have played a role in how likely a doctor was to have already brought an electronic health record system into their practice, the findings showed. While 64 percent of those under the age of 50 have done so, the poll revealed that the same was true of only 49 percent among those aged 50 and older.

Office size also seems to matter, with larger physician practices being more likely to have incorporated an electronic health record system into their administrative infrastructure. Specifically, 86 percent of offices with 11 or more physicians on site had taken on such a system, compared with roughly 60 percent to 62 percent of those with two to 10 physicians and just under 30 percent of single-doctor practices.

But although some kinds of specialists (such as surgeons) were somewhat less likely to have implemented an electronic health record system, race, gender and physician location did not seem to play a role in the likelihood that a doctor’s office would or would not bring the technology into their workplace.

Eric Jamoom, of the health care statistics division of the U.S. National Center for Health Statistics, and colleagues published their findings July 17 in the NCHS Data Brief.

More information

For more on electronic health records, visit the U.S. National Library of Medicine.

— Alan Mozes

SOURCE: U.S. Centers for Disease Control and Prevention, news release, July 17, 2012

Copyright © 2012 HealthDay. All rights reserved.

U.S. Doctors Embracing Electronic Health Records: Survey,” HealthDay (July 17, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , ,

Patient-accessible electronic medical records may increase preventive care

Patients increased their preventive care significantly after being given access to their medical records online in a recent study.  These health care consumers’ use of preventive care measures such as cancer screenings, and immunizations, were higher than those of consumers without online access to their EMRs.

Via Reuters:

In a clinical trial at eight primary care practices, researchers found that patients who used such “interactive” health records were more likely to become up-to-date on recommended preventive care.

That included screening tests for breast, colon and cervical cancers, and immunizations like the yearly flu shot.

After 16 months, 25 percent of patients who used the online records were up-to-date on their preventive care – which was double the rate of non-users.

“It’s hard to get people to take an active role in their healthcare,” said Jesse C. Crosson, an assistant professor at the UMDNJ-Robert Wood Johnson Medical School in Somerset, New Jersey.

So it’s “very encouraging” to see some benefits in this study, said Crosson, who was not involved in the work but has studied the impact of electronic health records.

In the U.S., there has been a huge push to get doctors to switch from old-fashioned paper to electronic records. That’s because digital records can, among other things, allow doctors, hospitals and other providers to communicate more easily – and hopefully cut down on errors, while getting more patients the tests and treatments they need.

Congress has authorized up to $27 billion in government incentives to get doctors and hospitals to put electronic records to “meaningful use.” And by 2015, providers will face penalties if they don’t switch.

“Meaningful use” means steps like having up-to-date medication lists for each patient, and electronically prescribing drugs.

But there hasn’t been much evidence yet that electronic records are improving Americans’ care.

In a recent study of 42 medical practices, Crosson found that switching to digital records did not seem to improve diabetes care. Patients at offices that made the switch were no more likely to be getting recommended tests and treatments than patients whose doctors had stuck with paper records.

But the new study, published in the Annals of Family Medicine, took electronic records a step farther.

Researchers randomly assigned 4,500 primary care patients to either stick with their normal care or have the chance to access personalized health records on a secure Web site,

The system automatically pulled information from patients’ electronic records at their doctors’ offices, then gave each patient a “tailored list” of preventive services they should get – like cancer screenings and immunizations. It also gave them links to educational materials on those services, and why they’re recommended.

“What we tested is a higher level of functionality than exists in current practice,” said lead researcher Dr. Alex H. Krist, of Virginia Commonwealth University in Richmond.

And it did seem to make a difference. Overall, patients who used the system were more likely to be up-to-date on their preventive care 16 months later: 25 percent were, which was up from less than 14 percent at the start of the study.

In contrast, there was little change among patients given standard care: Less than 13 percent were up-to-date on preventive care by the study’s end, which was up from 11 percent.

The problem, though, was that most people who were offered personalized health records didn’t choose to use them.

Of the 2,250 patients offered the chance, only 17 percent had done so 16 months later.

Krist said he thinks that’s largely a product of the controlled clinical trial design: People were “invited” by mail to set up online health records, and that may not have cut it.

“We didn’t field it in a way that a real medical practice would,” Krist said.

If the personal records were actually promoted at the doctor’s office, they would probably be more popular, according to Krist.

Crosson agreed that the constraints of the clinical trial were probably an important factor. “Sending something in the mail might not be the best way to get people to go online,” he noted.

Right now, the MyPreventiveCare system is in use in 14 U.S. primary care practices. But the researchers are hoping to “field” it in 300 practices over the next couple years. (The system is currently a “non-commercial” product; the research is being funded by the U.S. Agency for Healthcare Research and Quality.)

To work, the personal health records have to be integrated into doctors’ existing electronic records systems.

Crosson said he didn’t think the logistics of doing that will be the challenging part; instead, he said, the “human factor” might be.

E-records, though, are not going to magically make us healthier.

Krist pointed out that people who used the online records were more likely to get recommended cancer screenings and vaccinations. But they weren’t any more motivated to get advice on diet, exercise, smoking or weight loss, if they needed it.

That type of “health behavior change,” Krist noted, is more complicated than getting a test or a shot. And people tend to need a lot more help in making those changes.

“Technology alone isn’t the fix,” he said.

Interactive health records may boost preventive care,” Reuters Health (July 12, 2012)

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , , , , ,

Health care system mergers slow transition to electronic medical records

The mounting economic challenges and the uncertain regulatory environment ensure that the pace of mergers in the healthcare industry will continue to accelerate, at the same time as the industry is moving into the digital age.  Converting a single health care system from paper to meaningful-use certified electronic medical records (EMR) software is incredibly challenging and time consuming.  However, conducting such transition while two health care entities are merging is more than twice as difficult because the potential for patient-endangering errors is very high, especially while merging non-complementary EMR systems.

Via Wall Street Journal:

Hospitals around the country are finding themselves forced to juggle the demands of moving to electronic health records, just as a wave of mergers disrupts the healthcare industry.

In the latest deal, two of New York’s biggest hospital chains, NYU Langone Medical Center and Continuum Health Partners, agreed to pursue discussions of a merger last week. The potential merger is the latest hospital marriage as healthcare systems around the country seek greater efficiency. Last year, Provena Health agreed to merge with Resurrection Health Care. Ascension Health, the nation’s largest Catholic health system, also agreed in 2011 to join with Alexian Brothers Health System.  A March report from Moody’s said that the pace of hospital mergers will only quicken, as reimbursements from both Medicare and private insurers shrink.

CIOs must handle IT integration of the merged hospitals, just as they are leading a transition to electronic medical records. Around 30% of hospitals have already made the move to electronic medical records, up from just 11% in 2009, according to Dave Garets, executive director of The Advisory Board Company,a medical research firm.

The digital transition enables them to share in federal incentives. As part of President Barack Obama’s 2009 stimulus bill, the federal government offered $19 billion to hospitals and doctors who can demonstrate they are using electronic medical records to write patient histories, order medications and report quality improvements.

The Obama administration hopes that by pushing America’s health system towards electronic records it can slow rising healthcare costs by reducing duplicate tests and human error.

If the merger went through, Mark Moroses, CIO of Continuum, would work with partners at NYU Langone to meld dozens of billing, procurement and patient care systems over the next few years. At the same time he is in the process of moving the chain of hospitals, which includes Beth Israel, St. Luke’s, and Roosevelt, to digital healthcare records. That will allow the chain to claim $20 million to $30 million in government stimulus incentives over the next four years, he told CIO Journal.

Mergers can complicate the transition to electronic records. Hospitals have different technical terms, and methods of documenting care, complicating the migration of data between the two institutions. And because patient health is on the line, there is no room for error, says Moroses.

That level of accuracy requires many test runs before the real migration occurs, with doctors and nurses scrutinizing samples of the transfer to spot out potential mistakes, says Moroses.

In order to claim the government money, Continuum will need to prove that doctors are entering data from patient charts into its GE Centricity record keeping software. Nurses already enter basic information like blood pressure and medication information into wireless computers-on-wheels (or COWs as they’re called), which are brought into patient rooms.

Moroses says even his hospital’s current level of electronic medical record adoption is paying off. Electronic records are eliminating situations in which tests might have been reordered simply because paperwork didn’t transfer to another department. Patient allergy information is instantly available to doctors, because it is digital. And medications are less likely to be delivered to the wrong room or the wrong patient—-a mistake that can prove deadly. “Bad handwriting on prescriptions — I know it’s clichéd but you have a real improvement here,” Moroses said.

Over the next few months, doctors will begin entering longer patient histories, including detailed diagnoses, into the system as well. Moroses is also piloting the use of iPads with a handful of doctors. He’d like 95% of physicians across the hospital system to be using the devices over the next two years.

“The iPad is the first device with a long enough battery life,” Moroses said. “The challenge, so far, is navigating through the patient information on [the iPad’s] smaller screen.”

Moroses said Continuum is also part of a Department of Defense research project, which aims to allow the hospital to use data culled from the records to do predictive analytics. The project, which also includes John Hopkins Medical Center, will allow electronic records to produce alerts when data indicates a patient is at risk, and help researchers watch for trends on how treatments and dosage amounts affect patients.

As Continuum increases its use of electronic records, it will also have to prepare to merge its records with NYU Langone, without reversing the progress it made to secure millions in government grant money.

Moroses does not yet know what steps will go into the integration – the merger has not even been approved yet by government regulators. When it does his orders will come from the business units (“If they tell us to take a hill we’ll take a hill,” he said.)

But the experience of another major hospital chain North Shore-Long Island Jewish Health System, which took over Lenox Hill Hospital in 2010, offers clues.

To receive $8 million in government funding, North Shore chief medical information officer Michael Oppenheim is helping Lenox Hill ramp up its electronic record keeping to the level already in place at some of North Shore’s 12 other hospitals. To reach that goal Oppenheim is migrating Lenox Hill’s data to a newer version of the Allscripts medical record keeping system. (Lenox Hill currently uses an older version made by the same company, which is not on the list of systems the federal government will reimburse.)

While most data will transfer smoothly from one system to another, in some cases terminologies used by two hospitals don’t match. For example, one hospital may call an injury a “chief malady” and the other system may call it a “primary complaint,” complicating the migration.

Oppenheim plans to increase the number of Panasonic Toughbook tablets into Lenox Hill to allow doctors to enter data from patient charts directly into the system. But getting people onboard using the new tools and following a new set of protocols is the toughest part, Oppenheim said.

“You have to explain to the leadership that there is an upside,” Oppenheim said. “You want them to buy in rather than feel this is something coming from corporate. But in the end the fall back is that they don’t have an option of not going this way.”

CORRECTION: NYU Langone Medical Center and Continuum Health Partners agreed to pursue discussions of a merger last week. An earlier version of this article stated that the two hospitals had agreed to merge. Also, Mark Moroses, CIO of Continuum, will work with partners at NYU Langone should the hospitals merge. The earlier version of this article stated that Mark Moroses is already working with those partners.

For Hospital CIOs, Mergers Complicate Move to Electronic Records,” Wall Street Journal (June 13, 2012)

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , ,

HHS settlement amounts dwarfed by total costs of data breaches

A surge in data privacy breaches and the accompanying string of recent HHS enforcement actions should serve as an important reminder to healthcare providers regarding the importance of data privacy protection and the skyrocketing costs of failures to comply. 2011 saw a 97% increase in the number of data breaches, as reported by the Salt Lake Tribune in the context of the massive breach of health information privacy in Utah earlier this month.

At the same time, HHS has stepped up its enforcement actions. Last week, we touched on the $100,000 OCR settlement with a cardiology practice in Arizona. Last month, HHS reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) for a breach of about 1 million unencrypted patient records which resided on over 50 stolen hard-drives. However, the $1.5 million settlement amount was dwarfed by the $17 million BCBST had to spend on notification and credit monitoring expenses, as well as investigating and correcting the breach.

The BCBST settlement is a good reminder that breaches and noncompliance can be extraordinarily expensive, even without the federal and/or state regulatory fines. A December 2011 Ponemon Institute study found that data security breaches cost the healthcare industry $6.5 billion in the year leading up to that study. Just last month, a medical records company filed for bankruptcy after its offices were burglarized and medical records of over 14,000 people were stolen. The costs and expenses associated with that breach were so high that the firm had no choice but to go out of business.

These cases also demonstrated that OCR will investigate a breach regardless of the organization’s size or reach. In fact, smaller practices should pay particular attention to these developments because a recent study showed that smaller healthcare providers are more likely to suffer a breach because their Internet and sharing practices are not likely as secure as those implemented at large healthcare provider organizations.

Basic compliance with HIPAA and the related regulations is, of course, required, but it is not a panacea. A study by the American National Standards Institute found that insufficient funding and lack of managerial support were among the key causes of security breaches of protected health information.

A HIMSS/Kroll study showed that while most of the surveyed healthcare providers are compliant with the applicable laws, regulations, and industry standards, significant security challenges remain. Employees’ compliance with the organization’s policies was the primary concern, reported by nearly half of all respondents to that survey. Constant evolution of tech devices and the way doctors and patients interact using such devices is another huge challenge, since regulations cannot keep up with the exponential rate of change in this market.

Finally, the HIMSS/Kroll study showed that healthcare providers are also concerned about third parties (e.g., contractors, business associates, et al) who have access to such providers’ patient information. As we have written previously, it is absolutely crucial to have the right contractual protections in your license and services agreements with such third parties, including indemnification or cost reimbursement provisions in the applicable Business Associate Agreements. A hacker or an intentional theft or disclosure by an employee may be difficult to control or prevent; but each healthcare provider can protect themselves contractually for the costs associated with a data breach, if such such breach was caused by the negligence of a business associate or a third party contractor.


Posted in ARRA, HIPAA Tagged with: , , , , , , , , , ,

HHS settles HIPAA violation case for $100,000, Corrective Action Plan

200px-US-DeptOfHHS-Logo.svgOn April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

‘This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,’ said Leon Rodriguez, director of OCR. ‘We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.’

Posted in HIPAA Tagged with: , , , , , , , , , ,

HHS issues proposed rules on Stage 2 of Meaningful Use

On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via HHS Press Release:

In a November 2011 ‘We Can’t Wait‘ announcement, the Department outlined plans to provide an additional year for providers who attested to meaningful use in 2011. Under today’s proposed rule, stage 1 has been extended an additional year, allowing providers to attest to stage 2 in 2014, instead of in 2013. The proposed rule announced by ONC identifies standards and criteria for the certification of EHR technology, so eligible professionals and hospitals can be sure that the systems they adopt are capable of performing the required functions to demonstrate either stage of meaningful use that would be in effect starting in 2014.

‘The proposed rules for stage 2 for meaningful use and updated certification criteria largely reflect the recommendations from the Health IT Policy and Standards Committees, the federal advisory committees that operate through a transparent process with broad public input from all key stakeholders. Their recommendations emphasized the desire to increase health information exchange, increase patient and family engagement, and better align reporting requirements with other HHS programs,’ said Farzad Mostashari, MD, ScM, National Coordinator for Health Information Technology. ‘The proposed rules announced today will continue down the path stage 1 established by focusing on value-added ways in which EHR systems can help providers deliver care which is more coordinated, safer, patient-centered, and efficient.

The number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011. Eighty-five percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.

A technical fact sheet on CMS’s proposed rule is available at

A technical fact sheet on ONC’s standards and certification criteria proposed rule is available at

The proposed rules announced today may be viewed at Comments are due 60 days after publication in the Federal Register.

Secretary Sebelius announces next stage for providers adopting electronic health records, HHS Press Release (February 24, 2012).

Posted in ARRA Tagged with: , , , , , , , , , , , , ,

OCR to release final breach notification rule in March

200px-US-DeptOfHHS-Logo.svgVia Healthcare Info Security:

The Department of Health and Human Services’ Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January ‘unified agenda’ document, with far more details, shows a March target date, notes Susan McAndrew, OCR’s deputy director for health information privacy.
The HHS regulatory agenda sets target dates, which, historically, aren’t necessarily met. And the rules don’t yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

‘OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,’ McAndrew told HealthcareInfoSecurity. ‘OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.’

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Data mining by hospitals may be profitable, but not risk-free

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals’ most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

healthcareWe see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider’s de-identified patient data for such vendor’s internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free.  Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities’ marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor’s use of the provider’s de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital’s data (including patient data).

The above is certainly not an exhaustive list of all potential issues associated with data mining by healthcare providers and their business partners. But the USA Today article should serve as a good reminder that healthcare providers engaging in such data mining and marketing activities must protect their organizations from liability for damages relating to such data use.
“Hospitals mine patient records in search of customers,” USA Today (February 5, 2012).

Posted in HIPAA Tagged with: , , , , , , , , , , , , ,

HHS extends Stage 2 Meaningful Use deadline to 2014

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs).  As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary’s words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

“We Can’t Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs,” HHS press release(November 30, 2011).

Posted in ARRA Tagged with: , , , , , , , , , , , ,

Nemours reports breach affecting 1.6 million individuals

Nemours, a children’s health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

‘On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,’ the delivery system said in a notice to patients. ‘We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.’ Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.
Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year’s worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

“Nemours Notifying 1.6 Million Individuals About Breach,” Health Data Management (October 18, 2011).

Posted in HIPAA Tagged with: , , , , , , , , ,

HHS awards over $650 million in EHR incentive payments

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare.  Via  Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

 Through Aug. 31, 2,054 hospitals have registered with the CMS to receive Medicare incentive payments. Hospitals that registered as dual-eligibles need to attest to having met meaningful-use targets under the Medicare portion of the program. But only 114 of the registered hospitals—less than 6%—have attested to being meaningful users. They have split about $226 million in Medicare EHR incentive payments.

Similarly, for the same period, 71,378 physicians and other “eligible professionals” have registered with the CMS under the Medicare EHR program, but only 2,129—or about 3%—have shared in $38.3 million in Medicare EHR payments. Unlike hospitals, professionals can’t participate in both the Medicare and the Medicaid incentive programs. They must choose one.

According to the CMS, 15 hospitals have been paid solely under state-run Medicaid programs; they have received $32.9 million. In addition, 294 hospitals registered as dual-eligibles have been paid $262.2 million by Medicaid. There have been 4,463 physicians and eligible providers paid $93.9 million under Medicaid, according to the CMS.

You can find the CMS summary and charts relating to EHR incentive payments by clicking here.

“CMS: $653 million in EHR incentives paid,” Modern Healthcare (September 22, 2011).

Posted in ARRA Tagged with: , , , , , , , , , , , ,

Major data breach at Stanford Hospital

cryptzonelock_openA spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which “crowdsources” homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor’s employee probably did not know how to create a graph and “so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them.”
This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, “nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed,” which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor’s own negligent acts or omissions which result in a data breach or loss. Stanford Hospital’s example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor’s actions.

The Times correctly pointed out that contract language alone is not enough, and that significant due diligence by each provider is required. Certainly, employee training for both the hospital and the business associate-type contractors is absolutely essential. Relating the seriousness and gravity of health information privacy breaches should be a key element of such training. However, having a clear termination right and a strong contractual obligation to indemnify the provider in the event a vendor causes a major breach like the one at Stanford Hospital, is a good start.
We frequently see vendor agreements either without such an indemnification clause or with severe caps on vendor’s liability. The latter is often limited to one year’s worth of fees, or, in a better scenario, all fees paid by provider to vendor under the agreement. However, in case of a major breach caused by a vendor, such caps would not allow a provider to recover its costs and damages in dealing with the breach. Therefore, carve-outs to vendor’s limitation of liability in connection with vendor’s own breaches of PHI or other confidential information are crucial.

Stanford Hospital may be exposed to significant fines under both federal and state privacy laws. In fact, another Stanford hospital (Packard Children’s) was slapped with a $250,000 fine under California law for failing to report a breach within 5 days. However, such regulatory expenses are just the tip of the iceberg: Stanford Hospital will have to spend a lot more on investigations, legal expenses, staff time, and, possibly, credit monitoring for the affected individuals.

For more information, please listen to or view the slides from our Webinar on negotiating “must-have” provisions in HIT contracts.
“Patient Data Posted Online in Major Breach of Privacy,” The New York Times (September 8, 2011).
“Stanford Hospital Suffers Comically Stupid Patient Data Leak,” (September 8, 2011).

Posted in HIPAA Tagged with: , , , , , , , , , ,

Study: Most data breaches are caused by insiders

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders’ snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.
Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked “adequate controls to detect PHI breaches in a timely fashion.”
It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees’ snooping into medical records of celebrities.
While it is difficult to anticipate or avoid all possible human error, certain best practices – including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

“Insiders responsible for majority of privacy breaches, survey finds,” Healthcare IT News (August 30, 2011).

Posted in HIPAA Tagged with: , , , , , , , , , , , ,

iPad EHR app certified for meaningful use

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, “the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)”. The app tracks a provider’s use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker’s regulatory hurdles may not be over.  Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of “clinical decision support,” which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

“iPad EHR gains meaningful use certification,” Healthcare IT News (July 29, 2011).

“FDA’s mobile medical app guidelines get everybody talking,” Healthcare IT News (July 26, 2011).

Posted in ARRA Tagged with: , , , , , , , , , , , , , ,

UCLA Health System reaches $865,500 settlement with OCR

200px-US-DeptOfHHS-Logo.svgOn July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS’s Office of Civil Rights (OCR) regarding UCLAHS’s potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP).

According to the HHS press release, this settlement “resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.”

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP “requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.”
Via HHS press release:

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”

Posted in HIPAA Tagged with: , , , , , , , , , , , , , ,

HHS advisory panel recommends delaying Stage 2 Meaningful Use until 2014

The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014.  If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).

Via Government Health IT:

The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.

The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.

“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.

As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.

You can find and download the Meaningful Use workgroup’s recommendations by clicking here.

Posted in ARRA Tagged with: , , , , , , , , , , , , ,

HHS issues proposed rule on accounting of PHI disclosures

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. 200px-US-DeptOfHHS-Logo.svgVia HHS press release:

‘This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,’ said OCR Director Georgina Verdugo. ‘We need to protect peoples’ rights so that they know how their health information has been used or disclosed.’

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Audit criticizes OCR and ONC over data privacy efforts

HHS’s own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.
The audit tested seven hospitals’ compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as “high-impact” (i.e., ones which may result in costly losses, injury or death.) Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage.
Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

OIG also criticized the Office of National Coordinator for Health IT (ONC) for their failure to develop standards ensuring privacy and security of patient data as part of ARRA’s push for digitizing medical records:

As a yardstick for ONC performance as a security champion, the inspector general’s auditors reviewed last year’s ONC-developed interim final rule and final rule on standards, implementation specifications and certification criteria for the ARRA-funded electronic health record system incentive payment program. The auditors found both wanting.

The report’s authors differentiated between two types of security measures. One they described as “application security controls” that “function inside systems or applications to ensure that they work correctly.” Such measures include security controls covered by the ONC final rule and used in testing and certification of electronic health-record systems as able to meet meaningful-use requirements for providers participating in the federal IT incentive payment programs. An example is a requirement that certified EHRs be able to encrypt data shared between providers.

The auditors called the other type of measures “general information technology security controls,” described as “structure, policies and procedures that apply to an entity’s overall computer operation.”

An example would be a policy that requires providers to use encryption software on their systems and encrypt all data copied from an EHR and placed on a portable storage device, such as a laptop, CD or a portable thumb drive. The auditors found that the ONC had included application controls in writing its interoperability specifications for meaningful use, but that “there were no (health IT) standards that included general IT security controls.”

Other examples of general controls not addressed by the ONC but suggested for development by the report would be requirements that providers use two-factor authentication to gain access to an organization’s health IT system and policies that mandate that organizations install “patches” or bug fixes in a routine and timely manner to computers that process and store EHRs.
“Audit reports hit HHS on digital security,” Modern Healthcare (May 17, 2011).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

Updates to privacy and security regulations expected soon

According to, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

  • HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
  • The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial “harm standard” in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
  • Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.


Ms. McAndrew also indicated that “a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records “probably” would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule.”

HITECH Mandated Regs Still in Works,” (May 11, 2011).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

Medicare EHR incentives attestation to begin on April 18, 2011

CMS log blueCMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.

CMS also released a preview of the Attestation System. This preview includes attestation screenshots and is intended to give examples of what the attestation process will look like. CMS promised to release additional information about the attestation process soon, including “User Guides” that will give step-by-step instructions for completing attestation, along with educational webinars that describe the attestation process in depth.

Finally, CMS noted that providers will follow a similar process using their state’s Attestation System. Such providers may find their state’s scheduled launch dates of their Medicaid EHR Incentive Program by clicking here.

For more information, please visit CMS’s EHR Incentive Program web site.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

California agency to investigate HealthNet

As we predicted yesterday, HealthNet’s breach of personal information of almost 2 million people, is already the subject of a state government agency’s investigation.

Via Health Leaders Media:

After Health Net, Inc. in California announced Monday that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves ‘personal information for 1.9 million current and past enrollees nationwide.’

The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan’s statement, saying that the missing records on nine servers are ‘for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.’

‘The DMHC has opened an investigation into Health Net’s security practices,” said DMHC spokesperson Lynne Randolph. “Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.’

This may not be the last government investigation for the embattled insurer. For more information on the breach, please click here.

Posted in HIPAA Tagged with: , , , , , , ,

HealthNet breach affects 1.9 million individuals

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet’s Rancho Cordova, CA data center.  According to the insurance company’s press release, HealthNet’s IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people.  As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act.  HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet’s possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet’s investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

Via Modern Healthcare:

Woodland Hills, Calif.-based health insurer Health Net announced Monday that it had lost servers containing personal health information and demographic data for nearly 2 million current and past patients.

The breach, which affects approximately 1.9 million people nationwide, occurred in February. Health Net said it cannot account for server drives missing from a data center in Rancho Cordova, Calif. Those drives contain patients’ names, Social Security numbers and sensitive health information. It’s not the first time Health Net enrollees have experienced a breach. In 2009, 1.5 million people were affected when a portable hard drive containing patient data went missing.

According to the California Department of Managed Health Care, the breach will affect as many as 845,000 of the state’s residents. In a news release, Connecticut Attorney General George Jepsen urged the insurer to provide adequate identity protections for the 25,000 state residents whose data has been compromised.

“Health insurance companies have access to very sensitive and personal information,” Jepsen said in the release. “They have a duty to protect that information from unlawful disclosure.”

[In a press release,] Health Net said it would offer two years of credit monitoring and identity protection to affected customers. The insurer also has set up a hotline.


Posted in HIPAA Tagged with: , , , , , , , , , , , , , , ,

Cignet Health fined $4.3 million for HIPAA Privacy Rule violation

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency’s investigation.  This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.


OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at

A copy of the Notice of Proposed Determination and Notice of Final Determination can be found at Additional information about OCR’s enforcement activities can be found at

Posted in HIPAA Tagged with: , , , , , , , , , , , ,

New York City hospitals suffer enormous data breach

New York City’s Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company’s van was left unlocked and unattended.

This case should serve as a great reminder to:

  • check your existing contracts – including Business Associate Agreements – with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor’s loss or improper disclosure of protected personal data, including PHI;
  • make sure that same contracts do not impose a cap on vendor’s liability in the event of such breach;
  • confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and
  • review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.


Via the New York Times:

On Wednesday, the agency started mailing notification letters to the victims, in 17 languages, announcing an information hot line and customer care centers at both hospitals, and offering free credit monitoring and fraud resolution services for one year. Those interested in the offer have 120 days to register. The notification text is also available online.

The hospitals corporation said it had taken “decisive steps to protect the individuals who are potentially affected,” even though there is no evidence the information, contained on computer backup tapes that were being delivered to “a secure storage location,” has been accessed or misused. It also said that the data is stored in a program “that would make it difficult for someone without technical knowledge to access the private information.”

The hospitals corporation has filed suit to hold the vendor, GRM Information Management Services, responsible for covering all damages related to the loss of the data.

For more information, please listen to or view the slides from our Webinar on negotiating “must-have” provisions in HIT contracts.


Posted in HIPAA Tagged with: , , , , , , , , , , , ,

GOP bill proposes repeal of HITECH Act

Via Healthcare IT News:

The Spending Reduction Act of 2011 (H.R. 408), introduced on January 24 by Rep. Jim Jordan (R-Ohio), seeks to reduce federal spending by $2.5 trillion over the coming decade. As it does so, it singles out many federal programs for elimination.

Section 302 of the bill, titled “REPEAL OF CERTAIN STIMULUS PROVISIONS,” states that “effective on the date of the enactment of this Act, subtitles B and C of title II and titles III through VII of division B of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5) are repealed, and the provisions of law amended or repealed by such provisions of division B are restored or revived as if such provisions of division B had not been enacted.”

Since the Medicare and Medicaid EHR Incentive Programs set up under the ARRA/HITECH Act of 2009 fall under division B, it would appear that the $27 billion earmarked for disbursement to healthcare providers to spurring EHR adoption would fall on the chopping block were the bill to ever pass.

For good measure, Jordan’s Republican Study Committee also decrees that the enacted legislation would “further prohibit any FY 2011 funding from being used to carry out any provision of the Democrat government takeover of health care, or to defend the health care law against any lawsuit challenging any provision of the act.


Of course, the measure has little chance of succeeding, considering it would have to pass the House of Representatives, the Senate, and avoid an almost-certain veto from President Obama. Still, the GOP-backed proposal does add a bit of uncertainty in the market.

Dave Roberts, vice president of government relations for HIMSS, is less worried about the bill being signed into law than he is about the climate it creates.

The draft has already been referred to 14 different committees in the House, he says, so it’s going to be a while before it sees any floor action.

The problem is that it’s already “creating confusion in the industry,” says Roberts. “We’ve heard from some CIOs, asking us, ‘What is this? We hear the House is going to rescind our money.’ It adds to the confusion in the whole marketplace. And providers and hospitals who want to purchase this [technology] are wondering, ‘Do I really want to start down this path?’

“We’re trying to tell people,” he says, “that this process is going on. This is only one body [of Congress]. Don’t let this be a concern.”

But, Roberts cautions: “We’re leading up to the 2012 elections. The Senate’s majority is very reduced right now. And if this is a new way of thinking, that could be concerning. So I think that while this particular bill may not pass, it’s something that has to be watched closely.

HIMSS has issued a Legislative Action Alert on January 25, 2011. As a strong proponent of the EHR incentives program included in the HITECH Act, there is little doubt that HIMSS will be quite engaged in defending this portion of the stimulus bill.

GOP-sponsored bill threatens MU funding,” Healthcare IT News (January 28, 2011).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

Registration for CMS EHR Incentive program is now open

CMS log blueCenter for Medicare and Medicaid Services (CMS) opened the registration process for eligible hospitals and professionals hoping to capitalize on the incentive payments provided under the HITECH Act.  Each such hospital or professional needs to register with CMS in order to receive such payments, and CMS encourages all eligible healthcare providers to register as soon as possible.

You can find the EHR Incentives Program registration page by clicking here.

According to Government Health IT, over 4,000 providers have already registered with CMS. Several states have also launched registrations for their Medicaid incentive programs.  Moreover, hospitals in Oklahoma and Kentucky have already begun receiving incentive payments:

Kentucky processed payment to the University of Kentucky Healthcare, the university’s teaching hospital, for $2.86 million. The first payment amounts to one- third of the hospital’s overall expected amount for participating in the program, according to CMS. Oklahoma issued payments to two physicians at the Gastorf Family Clinic of Durant, Okla., for $21,250 each for having adopted certified EHRs.

Besides Kentucky and Oklahoma, registration is available for the Medicaid EHR incentive program in Alaska, Iowa, Louisiana, Michigan, Mississippi, North Carolina, South Carolina, Tennessee and Texas.

In February, registration will open in California, Missouri, and North Dakota. Other states will likely launch their Medicaid EHR incentive programs during the spring and summer of 2011.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

Blumenthal to leave ONC this spring

blumenthalDr. David Blumenthal, the head of the Office of the National Coordinator for Health IT (ONC), announced yesterday in a letter to his staff that he’s leaving the ONC and returning to his position at Harvard University.

According to Dr. Blumenthal, the move was “planned” and is expected to take place this spring. Here is a copy of his letter, via Healthcare IT News:

ONC Staff:

As you know, I have told Secretary Sebelius that I will be returning to my academic home this spring, as was planned when I accepted the position of National Coordinator for Health Information Technology. While we still have important work to do together, including the assurance of a productive transition for ONC, now is the time for me to express my deep gratitude to all of my ONC colleagues, and my admiration for all you have accomplished.

We have been privileged to be at the center of a great new enterprise at an historic moment in our health care system. For years America’s health policy leaders have understood that information technology offered the opportunity for transformational improvement of the Nation’s health care system and the health of individual Americans. Yet the obstacles are formidable: our fractured health care system, our dysfunctional payment methods, the lack of an infrastructure for exchanging health information, and more.


 The enactment of the Health Information Technology Economic and Clinical Health Act of 2009 handed us a rare opportunity to transcend these obstacles and to create a foundation, a strategy, and a self-sustaining movement toward a future of HIT-assisted health care. I believe we have effectively seized that opportunity, and you deserve the credit for this achievement.

Much attention has gone to the unprecedented resource commitment made by Congress and the President in HITECH – the allocation of as much as $27 billion in incentive payments to help support adoption of EHRs. The money is indeed crucial, and the Center for Medicare and Medicaid Services is doing a great job of putting it to use.

But I believe the key factor for success has been, and will continue to be, the concept of “meaningful use.” The HITECH Act recognized that EHR adoption alone would not bring about the transformative improvements that are possible with health information technology. EHRs must be used to support a new kind of information-rich health care. Meaningful use provides, for the first time ever, a consensus goal on how information should be used to enhance care. To realize its promise also requires changes in the processes of care delivery. HITECH gave ONC a major role in assisting health professionals and institutions to make these critical changes in the way care is delivered and we have begun this work in earnest.

We have successfully put in place the $2 billion support system created by HITECH, including:

  • Sixty-two Regional Extension Centers (REC), providing assistance to providers nationwide, with special attention to smaller primary care practices and rural hospitals.
  • Eight-four community college programs to provide HIT training and build a vitally-needed HIT workforce, including training for nurses, physician assistants and other in-place health care workers.
  • Seventeen Beacon communities, demonstrating how HIT can help bring community resources together to tackle specific local health needs.
  • State grants to support local solutions for health information exchange, consonant with broader national standards.
  • A program of research and development to help us continually improve EHRs and move quickly to the next level in HIT.

It is the efforts of the ONC staff, working cooperatively with the health care professions, the states, and so many others that have brought these programs quickly into being. They are now up and running. And we are already seeing results that indicate that the national shift to EHRs and HIT-assisted care is finally underway:

  • Adoption itself has turned up: from 2008 to 2010, the proportion of primary care physicians who had adopted a basic EHR increase by half, from 19.6 percent to 29.6 percent.
  • A significant proportion of providers were already indicating in the latter part of 2010 that they plan to achieve meaningful use objectives and qualify for incentive payments: 81 percent of hospitals, and 41 percent of office-based physicians.
  • A total of 291 EHR products have already been certified to support meaningful use objectives and qualify for use under the incentive payments program.
  • Some 38,000 providers have enrolled in REC assistance programs.
  • Community college programs will “graduate” an initial class of 3,400 HIT-trained students this spring, working toward a total capacity of 10,500 in each six-month session.

We have achieved these accomplishments together, as a hard-working team with a unique opportunity to make a difference.
On a personal note, I have profoundly enjoyed getting to know you and work with you. It has been one of the highlights of my professional life. And I am confident that the progress will continue and even accelerate after I have settled back into academic life in Boston.

Best wishes to you all.


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , ,

New York State plans country’s largest health information network

 Via Democrat and Chronicle (Rochester):

The New York state Department of Health and a public-private partnership called New York eHealth Collaborative, or NYeC (pronounced “nice”), recently announced plans to spend $129 million in state and federal money to create a statewide network for electronic medical records, to be complete in 2014. Like the highways, they envision the network as a public utility that will allow medical providers anywhere in the state to view — with your permission — a list of your medications, any allergies and any recent X-rays or other tests that could help guide your care. The e-records network would be the largest in the country, dwarfing networks of other states and the Veterans Administration.

The planned statewide network, called Statewide Health Information Network for New York or SHIN-NY, is intended to serve more than 200 hospitals, thousands of medical practitioners and up to 20 million patients a year.

You can read more about NYeC here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

White House Panel Issues Report on Health IT

600px-US-PCAST-Seal.svgOn December 8, 2010, President’s Council of Advisors on Science and Technology (PCAST) issued its report on the importance of widespread adoption and use of health IT to improve healthcare delivery and reduce costs. The report concluded that:

information technology can help catalyze a number of important benefits including improved access to patient data, which can help clinicians as they diagnose and treat patients and patients themselves as they strive to take more control over their health; streamlined monitoring of public health patterns and trends; an enhanced ability to conduct clinical trials of new diagnostic methods and treatments; and the creation of new high­technology markets and jobs. Health information technology can also help support a range of healthcare ­related economic reforms needed to address our Nation’s long­term fiscal challenges.

PCAST also recommended “nationwide adoption of a universal exchange language for healthcare information and a digital infrastructure for locating patient records while strictly ensuring patient privacy,” and tasked CMS and ONC with developing guidelines “to spur adoption of such a language and to facilitate a transition from traditional electronic health records to the use of healthcare data tagged with privacy and security specifications.”

You can view PCAST’s press release here.

You can view PCAST report here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

GAO report: EHRs can improve patient care

2Q==The U.S. Government Accountability Office (GAO) released its report on integrated delivery systems (IDSs) in healthcare. The report found that electronic health record systems (EHRs) are able to improve patient care among such IDSs.

Via GAO:

Some IDSs said that using EHRs supports their patient care strategies such as care coordination, disease management, and use of care protocols by increasing the availability of individual patient and patient population data and by improving communication among providers.

All 15 IDSs which took part in this study have implemented EHR systems. Mayo Clinic, one of the participants, reported that “the EHR helps avoid overutilization and duplication of services.”  Several other IDSs reported significant savings because of EHR use, including Marshfield Clinic in Wisconsin, which reported that its e-prescribing feature reduced “errors related to illegible handwriting and unintentional drug interactions.” In addition, Marshfield’s EHR requires physicians to consider appropriate “preferred alternatives” for prescription drugs, saving payers and patients $2.5 million in 1 year.

Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care, but Systems Face Challenges,” U.S. Government Accountability Office, GAO-11-49 November 16, 2010.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security

Study: Data Breaches Cost U.S. Hospitals Billions

432870_ponemonlogoA new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals:  on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

  • Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.
  • Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.
  • 71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

According to the Wall Street Journal’s Health Blog:

  • A full 60% of the organizations included in the study had more than two data breaches over the previous two years, at a cost of $2 million per organization.


  • The average breach involved 1,769 lost or stolen records.


  • Senior personnel at the organizations surveyed felt unprepared to prevent or quickly detect breaches. Some 58% of the organizations “have little or no confidence” in the ability of their organization to detect all patient data loss or theft.


  • Patients were the first to detect data breaches, report 41% of the organizations.
  • Most of the respondents have either put in place an electronic medical records system or are in the process of doing so. And 74% of those with an EHR system say it has made data more secure. Another 12% said the system made no difference in security, 10% say it made data less secure and 4% were unsure.

You can read the full study by registering here.

Study: Data Breaches Cost Hospitals $6 Billion Per Year,” WSJ Health Blog (November 9, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

U.S. healthcare providers hesitant about “offshoring” EHRs to India

Will American healthcare providers, like major companies in other sectors of the economy, outsource their electronic medical records systems and maintenance offshore, especially to an established tech industry in India? According to the Wall Street Journal, Indian technology vendors face a significant amount of skepticism regarding outsourcing health IT to India.

While major tech companies routinely utilize data centers, service desk and other products and services in India, healthcare providers are not used to such outsourcing arrangements.  Indian IT companies like HCL, InfoSys, and Wipro are trying to tap into the booming health IT market in the United States. However, they face a number of important challenges, including concerns over privacy, security and integrity of protected data, breadth of experience in the industry,and ease of implementation of such systems.  One prominent CIO described this challenge succinctly in the Journal:

Designing and installing new medical systems ‘is hard to do off site, let alone offshore,’ says Darren Dworkin, chief information officer of Cedars-Sinai Medical Center in Los Angeles. Cedars-Sinai is close to finishing a four-year, $100-million project to install an electronic medical-records system. Mr. Dworkin says that 80% to 90% of the work isn’t the sort of commodity coding that is easily outsourced, instead requiring an intimate knowledge of the hospital’s terminology and how its doctors and nurses work.

You can read the full article by clicking here.

“Qualms Arise Over Outsourcing Of Electronic Medical Records,” Wall Street Journal (November 2, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Our column in Government Health IT on RECs and HIT contracts

banner_logo_v2Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs.  Via Government Health IT:

RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.

With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.

In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.

You can read the full column by clicking here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , ,

WSJ: Major consolidation among HIT vendors likely

The HITECH Act added over $27 billion to an industry whose publicly trading companies’ market cap is below that, around $25 billion.  Such dramatic expansion of the industry will likely lead to significant consolidation among HIT vendors. We have already seen a merger between Eclypsis and Allscripts this summer (which became final last month); and now Cerner, another leading HIT vendor, entered into a partnership with MedAssets, Inc., a company that has specialized Internet-based financial improvement systems.  Via the Journal:

As that funding makes its way to health-care IT companies, it’s likely to necessitate a lot more consolidation in an industry that’s currently very fragmented. For instance, hospitals are not only looking to reduce the
number of different IT systems they use in-house, they also want more seamless ways of connecting to doctors’ offices and insurers.

“We’re at the beginning of the single fastest transformation of any industry in U.S. history,” said Glen Tullman, chief executive of the health-care IT company Allscripts Healthcare Solutions Inc. (MDRX). <…> Tullman said he expects a lot more deals to come in the industry. He said that some of that consolidation will likely take place among the companies that provide IT systems to hospitals, a list that
includes Allscripts, privately held Epic Systems Corp., General Electric Co. (GE), Cerner, Germany-based Siemens AG (SI), McKesson Corp. (MCK) and privately held Medical Information Technology Inc., commonly known as Meditech. Tullman declined to comment on what companies he expects to make deals.

You can read more at the Wall Street Journal web site here.

“Health-Care IT Sector Shaking Up As Medical World Goes Digital,” Wall Street Journal (October 15, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , ,

CCHIT certifies 19 complete EHRs and 14 EHR modules

On October 1, 2010, CCHIT announced certifications of 19 “complete” EHR products, including, for example, Epic products for both hospitals and eligible professionals, and Allscripts and GE Centricity products for eligible professionals.

CCHIT also certified 14 “module” EHR products, from vendors which applied for certification of their products as complete EHRs “but testing could not be completed on a small number of criteria (such as electronic prescribing) because planned updates to the test procedures by NIST were not available at the time of testing.” Such “EHR Module” certified products may seek certification as a complete EHRs in the near future.  Via Healthcare IT News:

The Certification Commission for Health Information Technology announced Oct. 1 that it has tested and certified 33 Electronic Health Record products under the ONC-ATCB program.

CCHIT is one of three Approved Testing and Certification Bodies, designated by the Office of the National Coordinator (ONC). The other two are the Drummond Group and InfoGard Laboratories, Inc.

The ATCBs certify that the EHRs are capable of meeting the 2011/2012 criteria supporting Stage 1 meaningful use. Certification is required to qualify eligible providers and hospitals for funding under the American Recovery and Reinvestment Act (ARRA).

The CCHIT certifications include 19 Complete EHRs, which meet all of the 2011/2012 criteria for either eligible provider or hospital technology, and 14 EHR Modules, which meet one or more – but not all – of the criteria.

“CCHIT announces 33 certifications,” Healthcare IT News (October 1, 2010)

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Free Webinar: HIPAA Privacy & Security Rules Update

48On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with Kroll Fraud Solutions, will present a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell’s Steve Fox and Vadim Schick will highlight the key provisions in the NPRM, including:

  • New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
  • Providing patients with e-copies of their PHI
  • Extension of HIPAA Privacy and Security Rules to business associates
  • Effect of new rules on business associate agreements

Kroll 47In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, who will discuss the practical implications of this new set of regulations on covered entities and business associates, including:

  • Assessing an organization’s policies, procedures and practices for compliance with the HIPAA Rules and these updates
  • Reviewing current contractual agreements and relationships with business associates and their subcontractors
  • Training staff of the organization
  • Breach preparedness and breach response

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the webinar: register now. After registering, you will receive log-in information for this webinar by

For more information, contact Vadim Schick at or 202-661-6945.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , ,

CCHIT and Drummond picked as ONC-ATCBs

logo_kVia HHS Press Release:

The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.

Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”


Applications for additional ONC-ATCBs are also under review.

Certification of EHRs is part of a broad initiative undertaken by Congress and President Obama under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH created new incentive payment programs to help health providers as they transition from paper-based medical records to EHRs. Incentive payments totaling as much as $27 billion may be made under the program. Individual physicians and other eligible professionals can receive up to $44,000 through Medicare and almost $64,000 through Medicaid. Hospitals can receive millions.

To qualify for the incentive payments, providers must not only adopt, but also demonstrate meaningful use of, certified EHR systems. The law envisions that defined meaningful use requirements will help ensure that the patient and provider benefits of EHRs are realized. Initial meaningful use criteria were defined in a final rule issued by the Centers for Medicare & Medicaid Services (CMS) on July 28.

In addition to the CMS rule, ONC also issued standards and certification criteria for EHRs on July 28, aimed at ensuring that EHR systems will support the specific tasks required under meaningful use. Also, through regulations issued on June 24, ONC created a system by which technology review organizations could also qualify as ONC- ATCBs that will certify EHR products as meeting the requirements necessary for meaningful use.

With the initial two ONC-ATCBs now named, EHR vendors can apply to them for certification of their products. By purchasing certified products, providers will have assurance that the products will support achievement of the meaningful use objectives.

“Multiple steps are underway to carry out the intent of Congress in supporting rapid and effective adoption of EHRs throughout our health care system,” Dr. Blumenthal said. “The naming of initial ONC-ATCBs is one important step. Actual certification of multiple vendors’ systems by the ONC-ATCBs is an important next step. CMS is also working to create an online system for providers to register and attest for the EHR incentive programs. The first incentive payments are targeted to be made in May 2011. Meanwhile, ONC is also carrying out new programs of technical assistance and training, especially for smaller hospitals and physician practices.”

Dr. Blumenthal said the Health IT initiative “is on an aggressive schedule to meet the urgent targets set by Congress and the President toward realizing the quality and safety improvements that we can achieve through health information technology.”

To learn more about the ONC-ATCBs named today visit and

For more information about the ONC certification programs visit

For more information about other HHS Recovery Act Health Information Technology funding and programs, visit



Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

CCHIT to launch certification process on September 20, 2010

According to Karen Bell, MD, chair of the Certification Commission on Health Information Technology (CCHIT), her organization will begin accepting applications for HHS certification as early as September 20, 2010.  Via Healthcare IT News:

CCHIT is authorized to offer HHS certification for complete EHRs that meet all of the Stage 1, 2011/2012 HHS/ONC criteria, as well as certification for modular EHR products that meet one or more – but not all – of the criteria, Bell said.

According to Bell, CCHIT plans to launch its authorized HHS certification program on Sept. 20 at 1 p.m. Eastern time with a Town Call Webcast describing its application and testing process. CCHIT will take new health IT developer applications immediately after the Webcast and the first group of HHS certified complete EHRs and EHR modules will be announced within weeks of that launch.

In addition to HHS certification, CCHIT will continue to offer its CCHIT Certified program for ambulatory and inpatient EHR products that exceed the HHS/ONC criteria and are designed for hospitals and physician practices that are looking for assurance of more robust, integrated EHR products to support the unique needs of its clinicians and patients. Many of these products will also be HHS certified, Bell said.

You can read more about CCHIT’s plans here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

eWeek: Top 10 Reasons to avoid EHRs stored in a “cloud”

eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a “cloud.”  Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations.  However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:

  • Access: who has access to your information (including your patients’ protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider’s records, and only in accordance with the scope of the agreement between the parties.
  • Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, “GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down – giving records holders 30 days’ notice to reclaim their data or lose it. This caused a great number of problems.” While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider’s data in its possession in the format specified by the provider.
  • Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: “Allscripts’ MyWay service costs $700 per month per health care provider. GE Healthcare’s new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive.”

As mentioned above, all of these issues, and the others identified in the eWeek summary, should be subject ton contract negotiations between the parties.  Frequently, ASP vendors use click-wrap license terms and non-negotiable contracts.  Healthcare providers should resist the pressure to simply sign such standard forms because failure to negotiate these agreements will expose your organization to very substantial risks with respect to, inter alia, control of and access to data, and privacy and security of the stored PHI.

Data Storage: Storing Health Records in the Cloud: 10 Reasons Why It’s a Bad Idea,” 17, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

Steve Fox interviewed by InformationWeek about EHR contracts

331Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT  vendors.  In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

“Many health IT vendors offer online contacts that prompt the physician to click the ‘agree’ button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products ‘as is,’ which means if something goes wrong they are not responsible,” Fox told InformationWeek after his presentation. “Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem.”

You can read more after the jump, or by clicking here.


Steve also opined on the reluctance of vendors to promise meeting future regulatory requirements, including the upcoming standards for Stages 2 and 3 of meaningful use:

“We do know there will be new meaningful use requirements for Stage 2 and 3, and it’s a moving target. Many vendors are unwilling to agree to future, unknown regulations, saying ‘We don’t know what we don’t know,’ but vendors need to remember that providers are paying them a lot of money for support and maintenance to meet those requirements. This is a big area of tension between providers and vendors right now,” Fox said.

Finally, Steve offered a few suggestions on some of the critical provisions relating to data access and ownership, as well as safeguarding the privacy and security of protected data:

For those providers adopting software-as-a-service models to outsource their EHRs, Fox recommends that providers restrict vendors from holding data “hostage” and ensure unfettered access to customer data, including protected health information (PHI), on vendors’ systems.

He also said providers should insist that vendors routinely back-up data and mandate the return of customer data upon termination of the contract as well as ensure security of data and access to such data if the vendor goes out of business.

With regard to security, Fox said providers need to stress confidentiality of PHI and make clear who owns the data and establish guidelines for the use of data by a vendor. Healthcare providers should also negotiate agreements that include intellectual property issues, obligations of nondisclosure, remedies for breach of patient information, and indemnification obligations.

“Health IT Contracts Offer Little Protection For Buyers,” InformationWeek (August 24, 2010).


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security, Uncategorized Tagged with: , , , , , , , , , , , , , , , ,

Advisory panel submits recommendations to HIT Policy Committee regarding health data exchanges

logo_kOn August 19, 2010, the “tiger team” advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges.  Via Bloomberg Business Week:




The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<…> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards.


Bloomberg Business Week described some of the proposed safeguards:

However, any data exchange that involves a third-party does require specific and “meaningful” patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data for instance permitting the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what’s specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed and should then be required to destroy the data, the panel said.

All third parties having access to patient health information also need to comply with the privacy and security requirements of HIPAA.

“Panel drafts privacy recommendations for health data exchanges,” Bloomberg Business Week (August 19, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

NIST Publishes Approved Testing Procedures for EHRs





In efforts to help the nation’s health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see “NIST, Partners Develop Testing Infrastructure for Health IT Systems,” NIST Tech Beat for March 16, 2010, at, the approved and finalized testing procedures are now available for use.

Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor’s offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to “meaningful use,” performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.

Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see and

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

CMS launches web site for incentive payment programs

EHRIncentiveLogowebCMS launched a very useful Web site,, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act.  The site provides up-to-date, detailed information and many important links and “fact sheets” about the incentive programs, including overviews of CMS’s final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.

It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

Final breach notification rules delayed

logo_kOn August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009.

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS’s withdrawal remains a bit of mystery.  However, Post & Schell’s Ed Shay has a couple of thoughts, which you can read after the jump.

Ed Shay believes one of the reasons could be the controversy regarding the “harm threshold” element of the rule, which we discussed earlier this year.  This “harm threshold” essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause “significant harm” to the affected person.  According to Ed:

Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported–with the inference being that risk of harm has proven too judgment dependent in its implementation.

If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.

You can find HHS’s brief press release on the subject by clicking here.

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

Rite Aid settles FTC and OCR privacy charges

Rite_AidThe Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS’s Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers’ and employees’ data safe.

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid’s actions may also violate the company’s own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC’s charges).


In addition, OCR and FTC found that Rite Aid:

  • failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • failed to adequately train employees on how to dispose of such information properly;
  • failed to employ a reasonable process for discovering and remedying risks to personal information; and
  • did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Pursuant to their settlement with HHS, Rite Aid agreed to pay HHS a cool $1 million and agreed to implement a strong corrective action program (lasting 3 years) which includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Finally, Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order, which will be in place for 20 years.

FTC and OCR have previously filed charges against CVS Caremark, another major pharmacy chain which was reported to engage in similar violations to Rite Aid’s.

The current economic conditions require most organizations to do more with less. The unfortunate end result is that long term projects, such as major privacy and security compliance reviews and overhauls get postponed and overlooked.  Rite Aid and CVS cases should remind covered entities and other organizations responsible for keeping patient information safe that neglect or procrastination with regard to privacy policies and practices can lead to major fines, PR embarrassments and excessive compliance and legal costs.

It is also key to remember that your organization must comply with its own privacy policies and procedures — otherwise, FTC can charge your organization for “false promises,” as was the case with Rite Aid.  In order to comply with such policies, however, your organization must train the staff about the critical importance of privacy.  Without such training, all the policies and procedures will be rendered entirely ineffective.

You can read the full OCR press release by clicking here.

You can read the full FTC press release by clicking here.


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , ,

CMS issues final rules on Meaningful Use

logo_kOn July 13, 2010, CMS issued the final rule defining “meaningful use” and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records.  According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:


  • Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
  • An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
  • A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
  • CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can learn more about it from the HHS press release by clicking here.  Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule.

At the same time, ONC issued another final rule, finalizing the “standards and certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they adopt are capable of performing the required functions.”  You can find a copy of this final rule by clicking here.

Stay tuned for much more analysis of the final rules published today, as well as the changes to HIPAA Privacy and Security Rules issued by OCR last week.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , ,

Enrollment standards recommendations released

logo_kWe dedicate much of our time to the implications of and regulations stemming out of the American Recovery and Reinvestment Act of 2009 (ARRA).  However, this year’s historic health reform legislation (“Affordable Care Act” or “ACA”) also contains a number of significant provisions affecting the health IT industry.  (We discussed ACA’s health IT provisions in a recent guide to the health reform legislation crafted by the American Health Lawyers Association, which you can fine here.)

In particular, Section 1561 of the Affordable Care Act tasks the HIT Policy and Standards Committees (established last year pursuant to ARRA) to develop a set of standards which would facilitate enrollment in federal and state health and human services programs, including drafting “standards for electronic matching across state and federal data; retrieval and submission of electronic documentation for verification; reuse of eligibility information; capability for individuals to maintain eligibility information online; and notification of eligibility.”

On July 19, 2010, the Enrollment workgroup of these advisory committees issued their recommendations with respect to minimum enrollment standards.  Their recommendations will be the subject of a rule the agency must issue by September 30, 2010.  The workgroup’s recommendations include the use of web-based services, easing enrollment procedures for patients, and creating “business rules” (sets of policies and procedures aimed at promoting “the use of standard data elements and verification and help to deal with ambiguity of information and differences in data so program officers can make decisions about eligibility.”)

You can learn more about the Enrollment workgroup’s recommendations via Healthcare IT News or, in greater detail, via ONC’s web site.

Health IT panel offers first enrollment standards details,” Healthcare IT News (July 20, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

logo_kOn July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order “to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.”  Via HHS Press Release:



The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Notice of Proposed Rulemaking to Implement HITECH Act Modifications,” HHS Press Release (July 7, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

CMS plans to integrate quality reporting programs under Medicare and HITECH Act

logo_kAs required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians’ Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act.  Via Healthcare IT News:



Under the Physician Quality Reporting Initiative (PQRI), physicians who participate in Medicare can receive incentives for reporting various quality measures, a select number of which are aimed at those who want to report using EHRs.

Providers who become meaningful users of EHRs, as laid down by the American Recovery and Reinvestment Act (ARRA), will also be eligible for incentive payments. A final rule on that is expected soon.

CMS has requested public comment on how it should integrate the two programs, included within a proposed rule about changes in Medicare physician payments for 2011 CMS expects to publish the proposed rule July 13.

“In an effort to align PQRI with the EHR incentive program, we propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals,” the proposed rule says.

Meaningful use measures that physicians could use for PQRI reporting through electronic health records include such things as blood pressure measurement for hypertension, body mass index screening and prevention care follow up, and drugs to be avoided in the elderly, according to CMS.

You can find a copy of the proposed rule here.

CMS to two align quality reporting programs,” Healthcare IT News (June 29, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Breaking: ONC releases final rule on temporary EHR certification

logo_kOn June 18, 2010, the Office of National Coordinator for Health IT issued a final rule, 45 CFR Part 170, establishing a temporary EHR certification program for the purposes of testing and certifying health information technology.




The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR
Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid EHR Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.

You can find the new final rule here.

You can find ONC’s “Fact Sheet” and Q&A regarding certification here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

HLM: OCR to release privacy and security rules in two weeks

logo_kOCR will release proposed rules later this month [or ‘about two weeks or around June 26th’] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).

<…> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding “willful neglect” (penalty tiers).

Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.

The state alliance also reports state attorneys general (SAG) are “developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut.” Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut’s AG was the first to do so.

OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR’s audits will be outsourced because its resources are limited, according to the e-mail.

“Much remains to be decided,” Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the “Quiz the Regulator” session on June 7.

State Alliance: Proposed HITECH Regulations Coming in Two Weeks,” Health Leaders Media (June 15, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , ,

Updated: breaches and fines on the rise

cryptzonelock_openThe number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:



  • On May 28, 2010, reported that “Cincinnati Children’s Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children’s Hospital for losses associated with loss of improperly stored credit card information.
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn’t indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws — both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity’s records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

Missing records on stolen laptop from Cincinnati Children’s Hospital,” (May 28, 2010).

SB hospital fined $325,000 for breach of patient records,” Press-Enterprise (June 10, 2010).

Large Patient Information Breaches List Nears Century Mark,” Health Leaders Media (June 16, 2010).


Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

Allscripts and Eclipsys announce $1.3B merger

Allscripts and Eclipsys announced a $1.3 billion merger, which someanalysts tout as a match “made in heaven” due to Allscripts’s strength in the ambulatory space and Eclipsys’s strength on the acute side.  The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees.  The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues.  However, analysts believe that Allscripts’s smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.

Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA.  According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019.

This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.

Allscripts-Eclipsys: ‘A match made in heaven’ – mostly,” Healthcare IT News (June 10, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

ONC approves Maryland’s HIT plan

crispOn June 7, 2010, Maryland’s Lt. Governor Anthony Brownannounced that the Office of National Coordinator for Health IT approved Maryland’s State Health IT plan, allowing the state to move forward to implement a functional health information exchange (HIE).  According to the Washington Business Journal, ONC will release $25 million in ARRA funds to Maryland, to be used in connection with the state’s HIE:

Proponents of the exchange say it will cut costs and improve health care quality by streamlining the transfer of electronic health data between hospitals, physicians and patients.

The Chesapeake Regional Information System for our Patients, the nonprofit tasked with implementing the exchange, has already begun work with $10 million in state money. The federal approval leaves the plan’s funding “fully unrestricted,” said CRISP Program Director Scott Afzal, allowing them to broaden the goals of the exchange and engage more hospitals. Much of their work lies in finding health care providers to sign on to the exchange when there is no state or federal legal requirement to do so, according to Afzal.

‘We have to show a value proposition to connect,’ he said.

The project is estimated to cost roughly $20 million, although it will be scoped to available funding.


On April 29, 2010, CRISP selected Axolotl Corp. as the vendor for its core HIE platform.  CRISP aims to connect 47 acute care hospitals, 7,900 physicians and ancillary provider sites  after completion.

Lt. Governor Brown Speaks at Health Information Technology Forum, Touts Federal Recognition of Maryland’s Health IT Plan,” Press Release from Lt. Governor Brown (June 7, 2010).

Maryland HIE Picks Platform Vendor,Health Data Management (April 29, 2010).


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act.  The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much.

Ponemon Institute’s survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

  • 27 percent of the health care organizations had not started and were “barely aware” of what was required;
  • 32 percent of the organizations were waiting for more details;
  • 14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
  • 21 percent of the organizations surveyed were just beginning to act on becoming compliant;
  • 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
  • 57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions,” BNA Health IT Law & Industry Report (May 24, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

Medical associations sue FTC over Red Flags Rule

ama_logoJust days prior to the latest enforcement deadline of the Red Flags Rule (“RFR”), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR’s identity theft prevention requirements to their member organizations.  FTC is to begin enforcement of the Rule on June 1, 2010.  Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as “creditors” under FACTA.  According to Health Data Management:

‘The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,’ said AMA spokesman Robert Mills. ‘That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.’

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren’t necessary, and said the FTC was ‘arbitrary and capricious’ in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<…> According to the lawsuit, complying with the Red Flags Rule ‘imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.’

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA’s motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship,” Health Data Management (May 21, 2010).


Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

OCR adds investigators to boost security rule enforcement

logo_kAccording to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules.

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR “took longer than expected,” Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement… [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

OCR Boosting Security Enforcement,” Health Data Management (May 12, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Prison sentence for hospital employee who breached patient privacy

Back in January, wewrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that’s when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there’s no evidence that he did it for profit. Apparently, he just did it because he could.

Former UCLA Healthcare Worker Sentenced to Prison for Snooping, ” NBC Los Angeles (April 28, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

In the news: patient privacy edition


  • HHS’s Office of Civil Rights (OCR) filed a notice in theFederal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners.  Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site.  At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians’ consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under “private practice.”  However, OCR announced on April 16, 2010, that “it will begin posting on its breach notification web site the names of entities they consider “individuals” regardless of whether or not those entities give consent.” According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).
  • Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  According to HHS, “OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.”
  • On April 23, 2010 HIT Policy Committee’s privacy and security workgroup revealed a draft  technical framework for patient consent requirements, titled Basic Patient Privacy Consent(BPPC).  According to Federal Computer Week, the draft framework includes “at least 12 types of patient consents, including implicit and explicit opt-out and opt-in, authorizations for specific research projects and authorizations for use of the document but not for republishing.”


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Wall Street Journal on EMRs and HIEs

wall-street-journalOn April 13, 2010, the Wall Street Journal published two fascinating articles on health information technology issues.  In “Can Technology Cure Health Health Care?” author Jacob Goldstein examined the complexities and major risks of adopting electronic medical records.  Goldstein also suggested a few high-level policies necessary to combat such risks, including designing the software with patient care in mind (rather than focusing on billing and other administrative tasks); customizing the software to fit the unique needs of one’s organization; and taking the time to implement the EMR in a carefully crafted, staged manner.

The last recommendation seems to be indeed crucial to a successful EMR implementation, but it will likely put many healthcare providers trying to capitalize on HITECH incentive payments in a peculiar situation.  Such providers must carefully balance their need to achieve “meaningful use” in a short time frame, while preventing as many disruptions to patient care as possible.

In “Breaking Down the Barriers,” Laura Landro examined the state of regional health organizations (RHIOs) and health information exchanges (HIEs). While RHIO/HIE’s are still rare, the number of such electronic patient data exchanges grows every day.  In fact, according to the Journal, the number of RHIO/HIE’s increased by 57% since last year.  Such exchanges are also likely to benefit from HITECH Act funding distributed by HHS.

There is an interesting nexus between these two articles:  interoperability and exchange.  A successful widespread adoption of EMR technology seems to depend upon different EMRs talking to each other, and different – including competing – healthcare providers exchanging patient information.  While EMRs may only marginally improve patient care in each individual hospital, they are likely to have a far greater impact as part of a nationwide health information exchange.

Can Technology Cure Health Care?” Wall Street Journal (April 13, 2010).

Breaking Down the Barriers,” Wall Street Journal (April 13, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

CHIME comments on EHR certification NPRM

sizeIn a letter to Dr. David Blumenthal, the College of Healthcare Information Executives (CHIME), an organization which represents1,400 healthcare chief information officers, offered some criticism of ONC’s recent notice of proposed rulemaking (NPRM) regarding the EHR certification program.  While CHIME expressed general support for a two-stage approach for creating the certifying bodies, the CIO’s are worried about any destabilizing effects such rule may have on the health IT market.  Via Healthcare IT News:

We are very concerned that the introduction of a two-stage approach for certification will prolong the current instability in the health IT marketplace, which exists because of the un-finalized status of meaningful use and certification regulations,” CHIME wrote. “The introduction of two separate certification schemes – one temporary and one permanent – carries a risk of continuing the uncertainty and promoting needless product replacement in the marketplace.

CHIME issued a few recommendations to combat such uncertainty, which you can find after the jump.

CHIME called for:

  • Temporary process to be a provisional or interim one that builds on current certification strategies and is “harmonized” with the eventual permanent certification process. According to CHIME, certification process should be the responsibility of the vendor, and that the purpose of certification should be to provide healthcare providers and professionals with assurance that the product they are purchasing can help them achieve meaningful use.
  • More specificity in language to define what constitutes a self-developed EHR. Current wording in the regulation suggests that any complete EHR or EHR module that’s modified by a healthcare provider or a contractor could require certification.
  • Changes in certification requirements be made only when they are necessary to meet meaningful use evolution or advance interoperability, not just because a certain amount of time has passed.
  • If CMS maintains the “adoption year” approach originally advanced in proposed regulations, providers should not be required to have products certified for capabilities not required in their current adoption year.
  • Individual EHR modules be certified to ensure that they can communicate according to adopted standards, and that the interoperability of those modules as used by providers be deemed as certified.
  • HIT vendors fully disclose functions for which their products are certified and fully disclose known compatibility issues.
  • In the event of a certification body losing its authority to certify products, vendors should have six months to recertify products, and providers should not be penalized for a change in a product’s certified status if they are still able to demonstrate the meaningful use of the technology.
Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

In the news: Senators request easing of meaningful use requirements; HHS releases over $267M for RECs and more


  • A group of 37 U.S. Senators sent a letter to HHS Secretary Kathleen Sebelius expressing concern regarding the current definition of meaningful use.  The senators urged the Secretary to “allow providers to ‘temporarily defer a limited set of IT goals’ without otherwise changing the ultimate timeline or requirements of the program.”  The senators also sought to change the eligibility determination based on Medicare provider numbers, considering many healthcare providers have multiple medical campuses under one such Medicare number.  According to Sen. Max Baucus (D-MT), such changes would “improve the guidelines HHS has set in way that will encourage widespread use of basic, functional IT tools and improve patient care.”
  • HHS released over $267 million from the stimulus funds to help 28 non-profit Regional Extension Centers (RECs).  This latest award brought the total of stimulus-funded RECs to 60, and is expected to support 100,000 primary care and hospitals within 2 years.  According to Secretary Sebelius, these 28 awards “represent [HHS’s] ongoing commitment to make sure that health providers have the necessary support within their communities to maximize the use of health IT to improve the care they provide to their patients.”
  • Thomson Reuters released its annual study identifying the 100 top U.S. hospitals based on their overall organizational performance. The 10 areas measured are: mortality, medical complications, patient safety, average length of stay, expenses, profitability, patient satisfaction, adherence to clinical standards of care, and post-discharge mortality and readmission rates for acute myocardial infarction, heart failure, and pneumonia. The study has been conducted annually since 1993. Is your hospital one of the 100 Top Performing Hospitals? Find out here.
  • According to the Baltimore Business Journal, a proposed Maryland law could change how primary care providers do business, by creating a patient-centric primary care delivery system whereby insurance companies would financially reward primary care providers for better outcomes.  However, the new law would also ease patient privacy rules by allowing greater sharing of patient information among medical practices and insurance companies. The law will likely pass with little or no opposition.
Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

ONC publishes white paper on consent options

logo_kThe Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange.  The paper examined the concept of patient control of their health information, focusing on “the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making.”  While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here.  You can view the executive summary by clicking here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more


  • Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident.  This is twice as many cases as in 2008.  Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to a study by IDC, a research firm), “about a quarter of all Americans — 77 million people — already have an EHR, up from 14% from in 2009.” By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
  • In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present “all or nothing” approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act.  According toAmerican Medical News:

Among CHIME’s suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

‘Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the ‘digital divide’ in the country,’ CHIME wrote.

  • U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of “hospital-based” eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.
  • CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

U.S. Senate backs expanded physician eligibility for MU,” (March 11, 2010).

Drummond Group in EHR testing for the ‘long term’,” Healthcare IT News (March 12, 2010).

Patient Billed for Liposuction as Medical Theft Rises,” (March 23, 2010).

As health data goes digital, security risks grow,” (March 22, 2010).

EMR meaningful use rules warrant gradual approach,” American Medical News (March 17, 2010).


Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

Slides from webinar on negotiating “must-have” provisions in HIT contracts


Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding “meaningful use” of “certifiedEHR technology.” Post & Schell’s Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:

  • Warranty, limitation of liability and privacy and security provisions in HIT contracts
  • Structuring payments to correspond with certain achievement milestones
  • Acceptance testing procedures
  • Provisions specific to vendor-financing transactions
  • ASP / SaaS models of software licensing

If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.

This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer’s Take on “Meaningful Use,” you can still view the slides from that presentation here.

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

OCR delays enforcement of certain HITECH provisions

logo_kIn a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others.  Via OCR press release:




OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

You can find about more here.

HITECH Act Rulemaking and Implementation Update,” OCR Press Release (March 18, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , ,

Steve Fox Interviewed on Negotiating EHR Agreements

ftr021510_coverAs if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:




Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.

“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.

“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.


You can read the full article here.

IT Vendor Negotiations in the ARRA Era,” For the Record (February 15, 2010).


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

Breaking: ONC releases NPRM on certification programs

logo_kONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs.  Via ONC Press Release:





Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.


To this end, an NPRM proposing the establishment of certification programs for purposes of testing and certifying health information technology was issued in March 2010 with a request for comments. The NPRM proposes:

* A temporary certification program to assure the availability of Certified EHR Technology prior to the date on which health care providers seeking the incentive payments would begin to report demonstrable meaningful use of Certified EHR Technology.

* A permanent certification program to replace the temporary certification program.

You can learn more about this new NPRM here.

You can find the full text of the NPRM here.


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

Free Webinar on Meaningful Use: Slides included below

302468377_Post_&_SchellHere are the slides from  our February 25, 2010 Webinar on Meaningful Use.  This webinar was first in a series, and focused on the critical definition of “meaningful use” of “certified EHR technology,” as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  Steve and I discussed:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at or 202-661-6945.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

OCR may delay enforcement of business associate provisions in the HITECH Act

logo_kPursuant to the HITECH Act, on February 17, 2010, business associates of covered entitiesbecame subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information.  As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams’s privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized.  OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR’s intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week.  We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

Privacy policies over electronic health records expand reach,” Pittsburgh Business Journal (February 19, 2010).

HHS Delays Enforcement of HITECH Act Business Associate Provisions,” Privacy & Information Security Law Blog (February 19, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

Thursday: Free Webinar on “Meaningful Use”

302468377_Post_&_SchellOn Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of “meaningful use” of “certified EHR technology,” as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  We will discuss:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at or 202-661-6945.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

Pritts named first ONC Chief Privacy Officer

pritts07photoJoy Pritts, a researcher and faculty member at Georgetown University’s Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year’s economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

According to Government Health IT:

Blumenthal said Pritts, who started her job Feb. 16, has extensive experience on all the issues that ONC grapples with. For instance, she was heavily consulted by members of Congress in legislating the HITECH health IT incentive law.

‘So she has an understanding of the legislative process and a policy understanding, in addition to having worked for the government previously,’ Blumenthal said in answer to a reporter’s question after a meeting of HHS’s Health IT Policy Committee.

‘She has a combination of an understanding of government, understanding of the issues, and her legal background is very important – her research and policy qualifications,’ he added.

HHS appoints Joy Pritts chief privacy officer,” Government Health IT (February 17, 2010).

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

Study finds big increases in physicans’ online communications with patients

amednews- Online contact growing between physicians, patients -- Feb_ 15, 2010 ___ American Medical News_1266344532249According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006.  The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to “a lot of triage calls and calls for clarification of instructions” which come from dermatologists’ large patient volumes. “This is perfect for short e-mail communication and reminders,” added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain.  Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information.  Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients.  And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Graphic via AMN.  Source: “Physicians in 2012: The Outlook on Health Information Technology,” Manhattan Research, January.

Online contact growing between physicians, patients,” American Medical News (February 15, 2010).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

Obama administration announces $975M in HIT grants

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs).  HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

According to the Wall Street Journal’s Washington Wire blog:

Patient privacy is the top priority,” Health and Human Services Secretary Kathleen Sebelius said. The agency is about to appoint a chief privacy officer, and the government has strengthen [sic] the penalties for negligent security breaches for companies so they reach up to $1 million.

Electronic Medical Records get a boost,” Washington Wire (February 12, 2010).

Obama awards money for electronic medical records,” Associated Press (February 13, 2010).

Posted in ARRA Tagged with: , , , , , , , , , , , , ,

Grassley follows up with letter to 31 hospitals regarding HIT vendor practices

Following up on his letter to health IT companies last fall, Senator Chuck Grassley (R-IA) sent a letter to 31 hospitals in the United States to inquire about each hospital’s experience with purchasing and implementing health information technology.  According to Healthcare IT News:

Grassley cites reports he’s heard about “difficulties and challenges associated with HIT implementation,” including “administrative complications,” “formatting and usability issues,” “computer errors stemming from the programs themselves,” and problems with “interoperability between programs.”

More specifically, he raises concerns that “when [providers] report such problems to their facilities and/or the product vendors, their concerns are sometimes ignored or dismissed.” Often, he writes, “this is attributed to alleged ‘gag orders’ or non-disclosure clauses in the HIT contract that prohibit health care providers and their facilities from sharing information outside of their facilities regarding product defects and other HIT product-related concerns.”

You can find more about Sen. Grassley’s letter to hospitals in his office’s press release, which includes the full text of the letter.

Grassley inquires about hospitals’ IT experiences,” Healthcare IT News (January 21, 2010).

Posted in ARRA Tagged with: , , , , , , , ,

Rising numbers and costs of data breaches

There is little doubt that the healthcare industry must prepare for a growing number of – and expanding costs associated with – data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  “the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months.”  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they “have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks.”
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that “Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches.”  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.


There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <…>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet’s infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet’s own security policies by failing to encrypt the sensitive data.  The missing hard drive contained “27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.”  Further complicating HealthNet’s situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

Healthcare hacks on the rise,” (January 26, 2010).

Survey: Data breaches from malicious attacks doubled last year,” cnet News (January 25, 2010).

Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee,” IHealthBeat (January 26, 2010).

AG files suit in health data privacy breach,” (January 13, 2010).

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , , ,

Negotiating vendor-financed EMR transactions

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology.   This continues the trend of vendors offering interest-free financing until healthcare providers receive the “meaningful use”  incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options.  A complimentary PDF copy of the article is available here.

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , , , , ,

In the news: Privacy breaches and de-identification

  • According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.  This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.
  • Delaware Online reports about a new unfortunate trend in medical identity theft — searching for copies of discarded prescriptions:  “In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims’ insurance. Then they turn around and sell the drugs.”  According to Bruce DiVincenzo, chief agent of Delaware’s Office of Narcotics and Dangerous Drugs:

They’re making their own scripts by ordering paper from the Internet,” he said. “It’s the patient’s name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion.”

Pharmacies like CVS and Happy Harry’s (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID’s before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

  • According to Washington Technology, HHS is looking for a contractor to research the effectiveness of “de-identifying” PHI:

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

‘The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude ‘brute force’ matching, demonstrate the ability or inability to re-identify the data,’ the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

Former UCLA Health Worker Pleads Guilty To Accessing Celebrities’ Medical Records,” LA Weekly (January 8, 2010).

Delaware crime: Trash-picking identity theft targets pharmacy customers,” Delaware Online (January 6, 2009).

HHS wants contractor to test privacy of ‘anonymous’ data,” Washington Technology (January 5, 2010).

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , ,

ALERT: CMS and ONC to Discuss Next Steps in EHR Programs Today

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.

The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.

Join today’s call; details are listed below:

–David Blumenthal, MD, MPP, national coordinator for health information technology
–Jonathan Blum, director, Center for Medicare Management
–Cindy Mann, director, Center for Medicaid and State Operations

Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations

Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at . HIMSS will be posting a statement tomorrow.

Posted in ARRA Tagged with: , , , , , , ,

Updated: Meaningful Use Definition Released in the Federal Register

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology.

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs.


* These are links to PDF versions of the NPRM and IFR published on January 13, 2010 in the Federal Register.

Posted in ARRA Tagged with: , , , , , , , , , , , , , ,

GE and Siemens provide new financing options for Health IT purchases

On the eve of HHS releasing the much-anticipated definition of “meaningful use,” health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering “a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <…>  Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies.”

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <…>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

Back in June of 2009, GE announced its $2 billion commitment as part of its Stimulus Simplicity program. According to the Wall Street Journal, GE, through its GE Capital division, “expects to offer $100 million in interim financing to hospitals and health-care providers for projects that are expected to qualify for funds from the U.S. government’s economic-stimulus package. GE said the move offers doctors, community health clinics and hospitals a bridge to qualify for stimulus funds and faster access to electronic medical records.” While the “meaningful use” definition and the EHR certification are not yet finalized, GE guarantees that its EHRs will meet the upcoming requirements, regardless of the details of the final rule. Like IBM’s program, GE’s financing is also restricted specifically for GE Centricity, GE’s EHR product.

On December 24, 2009, GE extended the financing terms available for its Centricity EMR software to other health IT products, including Centricity Enterprise and Centricity Business, a financial and administrative tool for providers.  According to Healthcare IT News:

GE executives say they have seen strong interest in the program, with demand exceeding $140 million in sales opportunities.

In the current economic environment, vendor financing may be the best (if not the only) option for healthcare providers seeking to qualify for incentive payments under ARRA.  However, such  providers should be aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept standard contractual terms and conditions; (2) failing to obtain necessary warranties from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendors’ products fail to achieve certification, or the provider fails to achieve “meaningful use” in a timely manner, as well as a host of other issues.

These issues are subject of an upcoming article by yours truly, in the Journal of Health Information Management.  We will link to the article when it becomes available online.

Siemens Unveils Flexible Financing Solutions to Help Providers Achieve Meaningful Use,” Fierce Healthcare (December 16, 2009).

GE expands healthcare IT loan program,” Healthcare IT News (December 24, 2009).

GE Unit Offers Interim Loans to Hospitals, Health-Care ProvidersThe Wall Street Journal (June 16, 2009), B3.

G.E. Offers Loans for E-Health Record Purchases,” New York Times Bits Blog (June 15, 2009).

Posted in ARRA Tagged with: , , , , , , , , , , , , , ,

CCHIT certifies EHR products for Preliminary ARRA 2011 program

Via Healthcare IT News:

The Certification Commission for Health Information Technology has certified 14 electronic health record products that pass muster for provider use under the American Recovery and Reinvestment Act of 2009 (ARRA).

“We believe it will be a challenge for providers who have not yet begun to evaluate products to purchase and implement EHR technology and achieve meaningful use in time for the 2011-2012 incentives,” said Alisa Ray, the CCHIT’s executive director. “We have received more than 30 applications for our 2011 certification programs – more than half of which are for the comprehensive program – and are announcing new certifications regularly so providers can begin to consider EHR technology that demonstrates compliance with the proposed federal standards.”

According to Ray, the Preliminary ARRA 2011 program is a modular, limited certification and inspects technology only against the federal standards. It offers flexibility for health IT companies, developers and providers in meeting ARRA 2011-2012 certification requirements.


The ARRA certification component of both programs is considered preliminary because the definitions of meaningful use, criteria and standards have been proposed but not yet finalized by the Department of Health and Human Services, according to Ray. Health IT companies testing against the proposed standards now will be provided the opportunity to close any gaps after the final rules are published in the Federal Register in spring 2010.

CCHIT has certified the following companies under the Preliminary ARRA 2011 program:

* eHealth Made Easy’s eHealth Made Easy 3 for hospitals
* eHealth Made Easy’s eHealth Made Easy 3 for eligible providers
* IOS Health Systems’ Medios 4.5
* Kaulkin Information Systems’ KIS Track 5.1
* NGG Medical Systems’ Perfect Care EHR 3.35
* Order Optimizer’s Order Optimizer 3.01
* Sajix’s iHelix MD 2010

CCHIT certifies 14 products for meaningful use,” Healthcare IT News (December 21, 2009).

Posted in ARRA Tagged with: , , , , , ,

ONC names 17 members of the privacy and security workgroup

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee.  According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns.  There is also a privacy and security workgroup under the HIT Standards Committee.

Government Health IT provides a list of the other members of the workgroup:

Some of the privacy and security work group members named today already sit on its parent Policy Committee. They are: are Dixie Baker, SAIC; Paul Egerman, consultant; Judy Faulkner, Epic Inc.; Gayle Harrell, a consumer representative with the state of Florida; Dr. Mike Klag, Johns Hopkins University School of Public Health; Latanya Sweeney, Carnegie Mellon University; and Paul Tang, Palo Alto Medical Foundation and Policy Committee vice chairman.

New members who are not current members of the Policy Committee are: Dr. Peter Basch; a healthcare practitioner, Dr. A. John Blair, a practitioner; Marianna Bledsoe, the National Institutes for Health; Joyce DuBow, AARP; Justine Handelman, Blue Cross Blue Shield; John Houston, University of Pittsburgh Medical Center; Terri Shaw, Children’s Partnership; and Paul Uhrig, SureScripts. Jodi Daniel and Sarah Wattenberg will represent the Office of the National Coordinator for Health IT on the workgroup.

ONC names privacy, security workgroup members,” Government Health IT (December 8, 2009).


Posted in ARRA Tagged with: , , , , , , , , , , , ,

In the news: EHR incentives; the rising threat of medical identity theft

  • In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define “meaningful use” in a practical and achievable way.  Otherwise, many providers could fail to qualify for the HITECH Act’s incentives.  The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.
  • A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information.  According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, “provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children.”
  • The Wall Street Journal reported on the rise in medical identity theft and that the situation is “expected to worsen.”   Most of medical identity theft cases are committed by those who pay medical workers for patient data, exactly what Michelle Johnson was caught doing at Johns Hopkins.  According to the Journal and the World Privacy Forum report it cited, the adoption of electronic medical records may contribute to the problem by making such information more easily available. Data indicates that states with a high population of retirees experienced the most significant increases in medical identity theft, including California, Texas, New York, Arizona, and Florida.

Patient ID Theft Rises,” Wall Street Journal (November 30, 2009).

MGMA concerned about success of EHR incentive program,” Healthcare IT News (November 23, 2009).

Woman Sentenced for Stealing Patients’ Info,” Associated Press (November 20, 2009).

Posted in ARRA Tagged with: , , , , , , , , , , ,

New York Times: New study shows little improvement for EMR users

The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.

The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.

In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.

Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.

The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:

‘There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.’

Little Benefit Seen, So Far, in Electronic Patient Records,” New York Times (November 16, 2009).

Posted in ARRA Tagged with: , , , , , , , , ,

Timely advice: Begin preparations for “meaningful use” now

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act.

The article, appearing in BNA’s Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as “meaningful use” and “certified EHR technology,” healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.


Oakes suggests several initial steps to EHR implementation:

  1. Gain a high-level understanding of the basic provisions of ARRA and the HITECH Act.
  2. Develop a realistic plan for your institution based on your assessment of the level of automation that is right for your circumstances, environment, and budget.
  3. Discuss the implementation, transition and any relevant software changes with your current health IT vendor.  Considering the huge increase in demand in HIT services, it is important to secure your vendor’s support and involvement early on, so that your organization does not end up at the end of the line.
  4. Know the health IT market because your organization will benefit from having the most customized solution (as opposed to, e.g.,  the most expensive or feature-rich), at the right price.

“Get started!” urges Oakes:

Going through all of these steps will not be accomplished overnight. Indeed, past experience suggests that if a hospital has not started these steps already, it will take from 24 months to 48 months for a mid-sized hospital to transition from planning to live operation, including full use of clinical capabilities. Given that ARRA incentives start phasing down in FY 2013 for physicians (2014 for hospitals), it is not beyond the realm of possibility that an institution that waits too long to start could find itself shut out of maximum incentive payments.

You can find the full article, courtesy of BNA’s Health IT Law and Industry Report, here.

Posted in ARRA Tagged with: , , , , , , , , , , , ,

HHS releases interim final regulations on HIPAA enforcement changes

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA.  As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

HIPAA violators could face fines up to $1.5M,” Healthcare IT News (November 2, 2009).

Posted in ARRA, HIPAA Tagged with: , , , , , , , ,

Sen. Grassley voices concerns about HIT vendor practices

According to the Wall Street Journal‘s Health Blog:

In letters sent earlier this month to 10 companies, [Senator Chuck] Grassley says that he’s “received complaints” about systems that allow doctors to enter medical orders by computer. (Here’s a copy of the letter.) This is a big deal these days because the stimulus bill provides billions of dollars in federal incentives to encourage doctors and hospitals to start using these sorts of systems.

Grassley asks the companies to send him copies of “complaints and/or concerns” that health-care providers have expressed about the systems. He wants to know whether the companies typically include legal provisions in their contracts that “shift responsibility for errors in the … systems to physicians, nurses, pharmacists, and other health care providers.”

And he cites reports that contracts sometimes “include ‘gag orders,’ which prohibit health care providers from disclosing system flaws and software defects.” He asks the companies how many settlement agreements they’ve executed in the last 18 months.

So far, representatives of Cerner, McKesson and Allscripts indicated that they plan to cooperate with Sen. Grassley’s request.

You can find more information on Grassley’s letters via the Washington Post, here.

You can see a copy of Grassley’s letter to 3M here.

Chuck Grassley Has a Few Questions for the Health IT Industry,” Health Blog (October 26, 2009).

Electronic medical records not seen as a cure-all,” Washington Post (October 25, 2009).

Posted in ARRA Tagged with: , , , , , ,

New York Times interviews David Blumenthal

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <…> The rest is paper. It’s basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.


On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We’ve got it in other parts of the industry, but we don’t have it for healthcare. So I think that’s a very important agenda item for us.


There are two kinds of anxieties. One is that their data may be used for purposes that they haven’t authorized it. So if they haven’t authorized their personal data to be used for research, they don’t want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There’s another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That’s where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It’s well known that the security of information is a national need for defense purposes. It’s also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we’ve taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it’s a big challenge, it’s an exciting challenge, and a historic challenge. There’s nothing that’s worth doing that’s easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can’t record data the same way the Greeks did in 500 B.C. We’ve gotta move to use the computer to support our work. And that’s what we’re trying to do.

There’ll be bumps on the road. We’re not gonna be perfect. We’ll make mistakes. But I think the wind is at our back in terms of the historical trends. And we’ll get there, sooner or later.


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

CBS News reports on EHR efforts

By popular demand, here is the video of David Pogue’s report on the Obama Administration’s efforts to digitize patient records in the U.S.

Watch Video

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , ,

n the news: Blumenthal on “meaningful use,” new health information management jobs, etc.

Dr. David Blumenthal, the National Coordinator for Health IT, gave an upblumenthaldate on the Obama Administration’s efforts to define “meaningful use” and to further adoption of EHRs nationwide.  Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming “notice of proposed rulemaking in late 2009 with a public comment period in early 2010.”

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare.  AHIMA’s CEO, Linda Kloss, noted that the interest in HIM careers has “exploded” during the last year.

Much more news after the jump.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

A note of caution about vendor guarantees on “meaningful use”

athenahealthLogoAccording to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or “evolve to meet” the federal requirements for “meaningful use,” even though such requirements have not been promulgated yet by CMS.  In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company’s AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final “meaningful use” regulations next year.  There is also some doubt whether such guarantees apply to each vendor’s existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license.  “Meaningful use” requirements will likely change over the life of a license, and a vendor’s obligation to meet such evolving standards is absolutely essential.  Healthcare providers must also include proper remedies and appropriate carve-outs from vendor’s limitation of liability for a vendor’s breach of such warranties.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

PWC Survey Findings May Support North Shore’s EMR Gamble

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records.  Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA.

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices “who simply install electronic health records that can communicate between the doctor’s office, labs and hospitals.”  However, the health system will subsidize 85% of the total cost of the EMR — a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws — for physicians willing to share some of their patient data.

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes.  A recent PriceWaterhouseCoopers (PWC) survey may support North Shore’s reasoning.  The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data.  Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

The Times implied that with this move, North Shore may be seeking a competitive advantage as well:

Digital links, analysts say, can also tighten the bonds between doctors and the hospital groups that subsidize the computerized records. In most local markets, independent physicians typically have admitting privileges at more than one nearby hospital, and so hospitals compete for doctors as well as patients.

There are, of course, risks associated with the North Shore program, including significant delays or even failure to realize significant savings from the EMR adoptions, or the uncertainty about the privacy and security measures for sharing patient data among affiliated providers.

However, both the North Shore program and the PWC survey findings suggest that the often reluctant physicians are beginning to accept the inevitability of the widespread use of electronic health records, and are trying to capitalize on the many benefits of EMR systems, including potential for improving the quality of care and reducing costs.

According to the Healthcare IT News, the PWC survey found that the “data that could be mined from a health system can improve patient care, predict public health trends and reduce healthcare costs,” though “a lack of standards, privacy concerns and technology limitations are holding back progress.”  In particular:

  • Nine in 10 healthcare executives believe that the secondary use of health information will significantly improve the quality of patient care and offers the promise of even greater benefits in the future.
  • Nearly two thirds (65 percent) of health organizations say they expect their secondary data use to increase significantly within the next two years.
  • Among organizations already using some form of secondary data, 59 percent have seen quality improvements, 42 percent have achieved cost savings, 36 percent have seen patient/member satisfaction improve and 29 percent have increased revenue.
  • Providers who are not using secondary data say the number one reason is lack of EHR implementation, not because they are opposed to the concept. Health plans are farthest behind in their secondary use of data despite their vast repository of comprehensive claims information from physicians, hospitals, pharmacies and dentists.
  • Ninety percent of pharmaceutical companies have limited or no access to health information contained in electronic health records.
  • Most health organizations that use secondary data do so for their own quality monitoring and reporting and for identifying areas that need quality improvement.


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

In the news: Blumenthal on “meaningful use,” new health information management jobs, etc.

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or “evolve to meet” the federal requirements for “meaningful use,” even though such requirements have not been promulgated yet by CMS.  In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company’s AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final “meaningful use” regulations next year.  There is also some doubt whether such guarantees apply to each vendor’s existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license.  “Meaningful use” requirements will likely change over the life of a license, and a vendor’s obligation to meet such evolving standards is absolutely essential.  Healthcare providers must also include proper remedies and appropriate carve-outs from vendor’s limitation of liability for a vendor’s breach of such warranties.

Of course, such warranties are just the tip of the iceberg.  If meeting “meaningful use” criteria is essential to your healthcare organization, your EMR license agreements should include robust testing and acceptance provisions; vendor warranties regarding meeting major milestones on time; warranties regarding compliance with patient information privacy and security laws; clauses securing your ownership and access to patient data, along with many other significant provisions.

HITS Beyond: IT vendors say products will meet unknown guidelines,” Modern Healthcare (September 28, 2009).


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

Health IT Market Heats Up

The last few weeks saw a tremendous amount of activity in the health IT market.  Dell and Xerox were among the companies trying to capitalize on opportunities created by the ARRA incentives and certain market trends, including high demand for HIT products due to the ongoing digitization of the industry and, more generally, the expanding healthcare needs of an aging population in the United States.

Dell is quickly establishing itself as a major player in health IT.  In April 2009, Dell aligned itself with Wal-Mart and eClinical Works to supply hardware for Wal-Mart’s new EHR system.  Last month, Dell rolled out its own EHR system aimed at physicians affiliated with hospital practices, with Tufts Medical Center and Memorial Hermann Health Care System among the early adopters.

Even more significantly, on September 21, 2009, Dell announced its plans to acquire the health IT vendor Perot Systems Corp. for $3.9 billion.  Perot is a major player in the healthcare industry:  about half of Perot’s $2.8 billion in annual revenue comes from the healthcare market; and as much as half of the hospitals that outsource their IT are Perot clients.   Perot runs over 3,000 healthcare applications for its clients, though the company does not have a preferred provider arrangement with a specific application vendor.

A mere week following Dell’s announcement, Xerox’s CEO Ursula M. Burns revealed her company’s “game-changer” plan to buy Affiliated Computer Services (ACS) for $6.4 billion.  According to IT World:

ACS may be in a good position to get even more business in the next few years as the federal government starts spending billions of dollars to help health care providers create electronic medical records systems. ACS said that health care projects account for about $1 billion of its $6.5 billion in revenue for the year ended June 30.

While Dell and Xerox acquisitions grabbed most of the spotlight this week, other Wall Street giants, like Wal-Mart Stores, Inc., Intel and Google, havemade significant inroads into the health  IT market.  Healthcare consultants Frost & Sullivan, as cited in Healthcare IT News, see an expanding market which will benefit new players.

Companies with a fresh, outside perspective will be invaluable to improving healthcare delivery and producing the next generation of medical technology <…> The enormous demand for new technology and solutions to address both the clinical needs of patients and the systemic problems of healthcare delivery will create opportunities for companies with the foresight to identify and capitalize on opportunities.

However, Frost & Sullivan also cautions companies against jumping into this industry without considering potential downsides, including the incredibly complex regulatory framework governing U.S. healthcare.

Joseph Conn, “Dell’s HIT Power Play,” Modern Healthcare (September 28, 2009).

Dell to Buy Perot Systems for About $3.9 Billion,” The New York Times (September 21, 2009).

Major corporations looking for stake in healthcare, medical technology market,” Healthcare IT News (October 1, 2009).

Doc, you’re getting a Dell (EMR),” Healthcare IT News (September 10, 2009).

Xerox Buys Affiliated, Fueling Shift to Services,” The New York Times (September 28, 2009).

With ACS, Xerox will gain a firm growing quickly offshore,” IT World (September 28, 2009).


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , ,

Sebelius announces $28M in grants for EHR implementation

HHS Secretary Kathleen Sebelius announced almost $28 million in grants for more than twenty health centers to implement or improve their electronic health records technology.  This funding is allotted from the $2 billion set aside for Health Resources and Services Administration (HRSA) health centers in the ARRA.  HRSA health centers provide medical services for the uninsured and low-income individuals.

According to the HHS press release:

Eighteen grants totaling more than $22.6 million will support EHR implementation. Grants totaling more than $2.6 million will help four grantees implement a variety of HIT innovations, including the creation of health information exchanges among different providers and the incorporation of HIT at dental delivery sites. Another five grants totaling over $2.5 million will help health centers devise plans to use existing EHRs to improve patient health outcomes.

HRSA received $2 billion through the Recovery Act to expand health care services to low-income and uninsured individuals through its health center program. To date, more than $1.3 billion of these funds have been awarded to community-based organizations across the country. HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance.

You can find the full list of recipients here.

Secretary Sebelius Releases $27.8 Million in Recovery Act Funds to Expand the Use of Health Information Technology,” HHS Press Release (September 29, 2009).

HHS releases $28M in ARRA funding to accelerate health IT,” Healthcare IT News (September 30, 2009).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , ,

HIT Standards Committee endorses privacy and security standards

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, “certified EHR technology” as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for “meaningful use” of “certified EHR technology” in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of “certified EHR technology.”   Specifically for 2011, the Standards Committee approved the Workgroup’s recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

Federal panel okays EHR security, privacy standards,” Government Health IT (September 15, 2009).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , ,

CCHIT to launch Preliminary ARRA Certification program next month

While the ONCHIT Advisory Committees continue to work on defining “meaningful use,” the Certification Commission for Health Information Technology (CCHIT) plans to launch a new certification program for electronic health records systems based on the new requirements for such systems to qualify for incentive payments under the American Recovery and Reinvestment Act of 2009 (ARRA).

On October 7, 2009, CCHIT will “offer a modular certification program called Preliminary ARRA 2011 that is limited to the standards for qualifying EHR technology under the American Recovery and Reinvestment Act (ARRA).”

More from the CCHIT press release:

The Commission has followed and analyzed the emerging recommendations of the health information technology advisory committees to the Office of the National Coordinator (ONC), and believes there is sufficient information to offer the preliminary ARRA certification now.

HHS criteria and standards are expected to be published by the end of 2009. Final rules on Meaningful Use are expected later in the Spring of 2010. If that process results in the introduction of new requirements, the Commission will offer vendors with preliminary certifications an incremental inspection at no additional fee to bring their certifications into alignment with the final rules. The Commission’s certification materials including criteria, test scripts and certification policies for both programs will be published at on September 24. Applications for certification will open online on October 7.

Certification Commission Launching 2011 Certification Programs In October,” CCHIT press release (September 8, 2009).

Federal committees to continue work on meaningful use,” Healthcare IT News (September 11, 2009).

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,