Rural providers cope with HIT staffing deficits

If compliance with ONC regulations is challenging for healthcare providers in urban areas, with high concentrations of IT professionals, it is especially challenging for rural providers where IT resources in the form of human capital are scarce.  The federal government's 2009 healthcare stimulus package, HITECH, provided funding for a national network of regional extension centers (RECs) designed to assist rural healthcare systems.  While the program is considered very effective, its funding will dry up in 2014.  Rural providers have devised a creative array of strategies to overcome their HIT staffing obstacles.

Via Modern Healthcare:

It took St. Claire Regional Medical Center, in the small town of Morehead in northeastern Kentucky, 2½ months to fill an open position on its computer help desk.

“We just don't see that many people who are even close to being qualified willing to work for the amount of money we're able to pay,” said Randy McCleese, vice president of information services and chief information officer of the 159-bed hospital. “That's part of what we have to deal with in the rural environment.”

The need for qualified information technology professionals to work in hospital and clinic settings has increased enormously in recent years, given the expanded use of technology such as electronic health records. But more than two-thirds of the CIOs surveyed in 2012 by the College of Healthcare Information Management Executives reported shortages on their IT staff. That's an especially big problem for providers in small towns and rural areas, who can't necessarily afford to pay nationally competitive salaries and who can't offer big-city attractions to lure candidates.

These IT staffing shortages create daily inefficiencies for small hospitals such as St. Claire Regional. New computers sit idle because there's no one there to set them up. Software fixes don't always get taken care of in a timely manner. “We really get into a backlog of the things that need to be done,” McCleese said.

To address these challenges in filling their IT staffing needs, small-town and rural providers are adopting a variety of strategies. Some are training current employees, such as nurses, in IT skills, some are partnering with other hospitals to share IT staff, and some are outsourcing IT work to consultants. Many worry that the end of federal funding for IT regional extension centers will cut off a valuable source of technology assistance.

While small-town and rural providers also have trouble filling clinical positions, McCleese, CHIME's board chairman, estimates that a typical nurse opening at St. Claire Regional might generate 10 to 15 applicants, compared with the three he received for the recent help-desk position. “Comparatively speaking, we get a much smaller number for the IT positions,” he said.

McCleese faces competition for IT workers from providers based an hour away in the bigger cities of Lexington, Ky., and Huntington, W.Va. He estimates that his hospital pays salaries that are 25% to 30% lower than in those bigger towns.

National data confirm that disparity. The median annual salary for a medical records and health IT technician averaged across non-metro areas is $31,390, compared with $33,566 for metro areas, according to U.S. Bureau of Labor Statistics data.

Across the country, the need for HIT professionals has boomed. The BLS estimated that an additional 41,100 health information technicians will be needed between 2012 and 2022. The bureau also projected that employment for medical-records and health-information technicians will increase 22% by 2022, much higher than the expected 11% increase in overall employment.

The starting gun for the HIT employment boom—and the associated squeeze in smaller towns and rural areas—was the American Recovery and Reinvestment Act of 2009, which pushed many providers to adopt EHR systems by 2014 through $25 billion in payment incentives and grants for training programs.

“The demand (for HIT professionals) just exploded when the electronic record stuff took hold,” said Mark Sonneborn, vice president of information services at the Minnesota Hospital Association. From February 2009 to February 2012, the number of online job postings in the field almost tripled from 4,850 to 14,512, according to a data brief from HHS' Office of the National Coordinator for Health Information Technology. The ONC does not break out urban and rural job listings.

Brock Slabach, senior vice president for member services at the National Rural Health Association, said the looming end of the EHR incentive payments could hurt HIT efforts at rural hospitals and clinics. “The question will be, can these facilities, with these declining reimbursements, and the incentives ending with the American Recovery and Reinvestment Act, continue to operate these information systems efficiently and effectively?” he asked.

In addition to the stimulus program, the Patient Protection and Affordable Care Act drove the need for IT development and staffing through its focus on population-health initiatives, quality-of-care measures, and preventable readmissions. Another factor is the looming implementation of the ICD-10 coding system.

Implementing EHRs is the heavier lift for Milly Prachar's hospital, however. “It's so far-reaching and really touches all users within the organization,” said Prachar, director of health-information management at Roseau LifeCare Medical Center, a 25-bed critical-access hospital in Roseau, Minn., a town of 2,600 near the Canadian border.

Tight deadlines and finances are one side of the problem, and finding qualified IT workers is the other. Prachar's hospital opted to train one of its nurses in clinical IT rather than recruit an IT specialist. That's a strategy a number of other rural-health facilities are using for their IT needs. “Because of our location—we're pretty remote—we didn't think it would be likely that there would be someone with the knowledge of the organization as well as EHR knowledge that could step into that role,” she said.

But that does not solve the problem of how to deal with the increasing number and scope of IT projects on top of the hospital's usual workload. The result for small town and rural providers is a backlog of work and delays in implementing meaningful use of EHR systems and cost-saving quality measures. It also holds them back from participating in alternative payment and delivery models such as accountable care organizations and bundled payment, which require sophisticated data systems.

“They're not keeping up with health reform,” said Joe Wivoda, a health IT consultant based in Hibbing, Minn. “There's no way in the world that you can do health reform without robust health IT capabilities.”

Chantal Worzala, director of policy at the American Hospital Association, said there are two issues for rural providers in hiring IT talent. One is whether the hospital can afford to pay enough to be competitive with urban hospitals, vendors and consulting firms, and the answer is often no. The second issue is convincing IT professionals to live and work in a small town or rural community.

A key for rural providers in recruiting students for HIT jobs is identifying candidates who want to live in a rural community or small town, said Sunny Ainley, associate dean of continuing education and workforce development at the Center for Applied Learning at Normandale Community College in Bloomington, Minn. “You have to enjoy the rural amenities of living in Minnesota,” she said.

Effectively using social media is one way to reach candidates. “People have a very high trust for social media, so we always recommend to our clients to make sure they have a Facebook page and they're very active,” said Ralph Henderson, president of healthcare staffing at AMN Healthcare. “That takes away some of the issues that, 'I don't know that health care system' or 'I don't know that city very well.'”

He also advises conducting on-campus recruiting at colleges and universities to get to know people early in their careers and establish relationships with them. In addition, he recommends having a strong training program. “The healthcare systems that do a good job of hiring new grads and then setting up training programs for them are the ones that tend to win those competitive wars for talent,” Henderson said. These programs breed loyalty to the hospital as well as the local community.

Hire and train
Another approach is to hire and train, bringing on new employees knowing they'll need skills development to do the job effectively. A related strategy is to develop existing employees' IT skill sets through onsite or off-site training, as Roseau LifeCare Medical Center did with the nurse on its staff.

Other small providers are exploring partnerships with larger hospitals, although Slabach worries this could hurt rural providers in the long run. “If the urban partner doesn't have a real keen sensitivity to rural healthcare, preserving access and maintaining traditional patterns of care, you could see patients being transferred to larger facilities,” he said.

A way around this is the IT cooperative approach, which a few small providers have pursued. The not-for-profit Illinois Critical Access Hospital Network offers IT services to its 53 member hospitals on a fee-for-service basis. “(It's at) far less cost to us than if we A, had hired that individual ourselves or B, if we were working through a third-party consulting firm,” said Harry Wolin, CEO of the 20-bed Mason District Hospital in Havana, Ill.

Even so, consulting firms are finding plenty of work with the boom in IT needs. “Small organizations have limited resources (and) limited availability to reach out to talent because everybody wants to work for a larger organization and make more money,” said Carol LeMaster, senior director of career services and professional development at the Healthcare Information and Management Systems Society. “Typically, it's just easier for them to just hire a consulting organization.”

Educators also are working to connect graduates of their HIT training programs to open positions. Normandale Community College was one of about 81 community colleges that received stimulus funding through the ONC for a program aimed at training HIT professionals to help implement EHRs as demand for these positions soared.

But a key source of support for the smallest rural providers as they strive for meaningful use is about to dry up. The HITECH provision of the 2009 stimulus law funded a nationwide network of 62 regional extension centers, run by the ONC to help rural providers implement EHRs. As of January, 3,427 of the 6,700 providers at critical-access and rural hospitals that worked with the RECs had achieved some level of meaningful use.

The RECs will run out of stimulus funding this year. “That is going to be, in certain parts of the country, really, really hard,” said Mat Kendall, who left his position running the REC program at HHS in March. Seventy-one percent of healthcare leaders surveyed by Modern Healthcare between November and January said they think federal funding for these centers should continue.

Kendall worries that the digital divide between urban and rural providers will widen during implementation of Stage 2 meaningful use of EHRs. The ONC is working with providers and vendors to help them with this process, he said. But “there's nothing we can do about the inability to find (IT professionals).”

By Catherine Hollander

“Rural hospitals get creative in staffing for IT needs,” Modern Healthcare (May 17, 2014)

Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records

Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen.  Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.

Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this.  I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue).  No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all.  So the take-away:  encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.

Via Modern Healthcare:

The recent massive data breach at Advocate Health Care has already had legal consequences.

Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.

The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.

According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.

The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients' private and confidential health information.”

The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.

The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.

The suit alleges the plaintiffs' records were part of the massive July 15 data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.

Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients' names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.

Advocate previously made the federal “wall of shame” list kept by HHS' Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.

Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.

The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General's office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.

Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn't have the key, another piece of software code to unscramble the protected information.

An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

Advocate's Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.”

By Joseph Conn

Advocate Health Care sued following massive data breach,” Modern Healthcare (September 6, 2013)

Computer viruses in medical devices: who should bear the costs for combatting? FDA issues warning, takes action

Computer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware.  (See our October 2012 blog post "Computer viruses on hospital medical devices: a growing concern; possible solutions").  The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.

Via Modern Healthcare:

The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.

Because many medical devices connect to the Internet, they are at risk of being infected with computer viruses that can affect the way they operate, putting patients' health in jeopardy. And devices and networks that are not properly secured leave them and the data they contain vulnerable to unauthorized access and use.

“Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA's desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the Advanced Medical Technology Association, said in a statement. “Our industry provides many life-saving or life-enhancing devices. So, it is important for both the manufacturers and the users of these devices to be aware of the potential for cybersecurity breaches.”

The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device's critical functionality even in the event of an attack or breach.

Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update antivirus software and firewalls, monitor network activity, and also develop strategies to maintain critical functionality when security is compromised.

The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities in an effort to reduce future incidents.

By Rachel Landen

FDA warns about risk of cyberattacks on medical equipment, hospital networks,” Modern Healthcare  (June 14, 2013)

"Health IT Law" blogger Steven J. Fox featured in "Healthcare Informatics" article

Negotiating favorable contracts with IT vendors requires skill and determination on the part of healthcare providers, on a playing field that currently favors vendors.  Blawger Steven J. Fox and three healthcare IT leaders share their insights in this in-depth article.

See Healthcare Informatics article at "Time for New Rigor on Vendor Contracts".

Mostashari urges HIT vendors to conduct themselves ethically

Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith.  At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations.  He warned that he will impose more regulations if necessary.

See Healthcare IT News article at "Mostashari calls on vendors to play fair".

Family doctor EHR use up although use varies by location

The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.

Via Modern Healthcare:

The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.

Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.

In the NAMCS, adoption among family physicians grew to 66.4% in 2011 from 24.8% in 2005. Among physicians undergoing the ABFM's maintenance of certification, adoption increased to 67.8% in 2011 from 28% in 2005.

The study notes “how federal efforts to increase adoption of EHRs have accelerated in recent years.” It adds that the federal government's “triple aim” goals to improve population health and healthcare delivery while lowering costs “will require data sharing and exchange that transects all aspects of healthcare delivery and depend in part on widespread adoption of EHRs, particularly by office-based physicians.”

But geographic variations were identified in both data sets. Utah, at 94.9%, had the highest rate of adoption among family physicians seeking maintenance of board certification; while North Dakota had the lowest rate of adoption, 47.1%. For family physicians in the national ambulatory survey, Hawaii had the highest rate of adoption, 87.6%. North Carolina family physicians had the lowest, 44%.

The researchers wrote that there was “strong regional clustering for adoption.” They speculated that states' commitment varied in their support for health IT funding mechanisms to promote EHR adoption, prescription drug tracking and quality data reporting. Other reasons that could explain the variation included differences in market penetration of health maintenance organizations and the presence of large integrated healthcare organizations.

By Andis Robeznieks

EHR use up among family doctors, but varies by area,” Modern Healthcare (February 5, 2013)

Breaking: HHS releases final rule on HITECH Act provisions

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.


Settlement of first small scale HIPAA breach announced by HHS

In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, visit

The Resolution Agreement can be found on the OCR website at

HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000
,” HHS Press Release (January 2, 2013)

HHS Inspector General: Medicare EHR incentive program lacks adequate safeguards against error and fraud

The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.”   The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost  28,000 recipients.  The Inspector General’s office concluded that Medicare needs to improve its review process.

Link to report here.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS' inspector general's office.
The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, "Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program" (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general's office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general's office also is conducting "a series of audits of Medicare and Medicaid EHR incentive payments" to "verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.

The inspector general's review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said. 
The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, "The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked 'yes,' " according to the report. However, the report continued, the CMS "does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology."
One "obstacle" the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.
The inspector general's office notes that although the CMS is not required to perform prepayment verification, "doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments" the program is expected to shell out over its lifetime, which runs through 2016.
Regarding post-payment oversight, the inspector general noted that, so far, the CMS "has not yet completed any post-payment audits." But the CMS has said it plans to use EHR-generated reports "to verify the accuracy of self-reported information where possible" and obtain supporting documents in instances where the reports don't cover the audit subject matter—and this is where the ONC comes in for criticism.
The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.
The CMS "cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures," the inspector general's report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.
"EHR reports also do not contain information necessary for CMS to verify all percentage-based measures," the inspector general's report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.
The inspector general's office recommended that the CMS beef up its prepayment assessment program, including by focusing on "high-risk" professionals and hospitals, asking them to "submit supporting documentation for prepayment review."
It also recommended that ONC "improve the certification process" to ensure that certification bodies "comprehensively test EHR reports for accuracy as part of the certification process" as well as not rely on "vendor-supplied data" during the testing phase.
The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general's office recommendation to issue a guidance on proper provider documentation required for the program.
In a similar letter to the inspector general's office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general's office's recommendation of testing a "yes/no" reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations "on the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports."
Mostashari also said the ONC has “already taken steps” to address a separate inspector general's recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.
Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC's certification process "did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products." Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.
In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS' Stage 2 meaningful-use rules—contain "more rigorous testing requirements" that became effective Oct. 4, 2012. He said the ONC "will continue to migrate away from the exclusive use of vendor-supplied data."
In a telephone interview, Mostashari said the GE report-writing problem was "old news." Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, "It's really a CMS question."

By Joseph Conn

HHS inspector general: Medicare EHR program needs better oversight,Modern Healthcare  (November 29, 2012)

3.8 million record breach in South Carolina: lessons learned

Hackers recently infiltrated South Carolina's state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency.  State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.
See New York Times article at "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere".

EHR access lost during Hurricane Sandy

Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure.  Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately.  Others, however, were negatively impacted, including some which lost access to their EHRs. 

It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization's data - including patient data - is readily available, and is never lost due to a storm or an earthquake.

Via Modern Healthcare:

Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.
The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.
One Manhattan hospital was forced to evacuate 300 patients hours after Sandy's landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning. 
In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.
Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.
Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.
North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.
Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.
Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

Computer viruses on hospital medical devices: a growing concern; possible solutions

Medical device security experts report increasing issues with computer viruses on hospital medical devices.  Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems.  The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".

Health education information incomprehensible to many; HHS program to rate EHR-linked education materials for "understandability"

Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people.  HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.

Via Modern Healthcare:

HHS' Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.
The agency's Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.

The agency's notice stated that health education materials delivered by EHRs “are rarely written in a way that is understandable and actionable for patients with basic or below basic health literacy,” which includes about 77 million people. “Persons with limited health literacy face numerous healthcare challenges,” according to the AHRQ notice. “They often have a poor understanding of basic medical vocabulary and healthcare concepts.” 
Agency officials expect the rating system to address that challenge by giving clinicians a method to determine the quality of the data their systems provide or that such resources are even available.
A draft version of the rating system was applied by researchers at AHRQ to sample education materials on asthma and colonoscopy and indicated some of the material had “low understandability or low actionability.” The agency plans to next use consumer panels to test the accuracy of the rating system.
Other related health literature activities planned by AHRQ includes creating a library of patient health education materials, a review of EHR's patient education capabilities and education of EHR vendors and users.

By Rich Daly

AHRQ developing consumer info rating system,” Modern Healthcare (October 8, 2012)

Sharing EHR notes between providers and patients improves care, patient loyalty among other benefits

According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.

Via Kaiser Health News:

Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.

When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.


A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed.  And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated  in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.


The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

OCR: Health records of over 7 percent of U.S. population breached in past 3 years

Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR.  Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy.  The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised.  According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches. 

Via Modern Healthcare:

Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.


The breach notification and reporting mandate was part of more stringent privacy and security provisions of the American Recovery and Reinvestment Act of 2009.

Tens of thousands of breaches that involve fewer than 500 records have also been reported, according to the Office for Civil Rights, but details of these lesser breaches are not required to be posted to the website.

Six healthcare organizations have suffered breaches compromising 1 million records or more.

The list is topped by an incident last September involving the loss of 4.9 million records by an employee of Science Applications International Corp. He reported to police that some backup tapes carrying data on the medical treatment of military personnel kept by the Tricare Management Activity were stolen from his car in Austin, Texas.

Loss of data by a vendor is nothing unusual. In 100 of these larger breach incidents—roughly 21%—a business associate of a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, also was affected in the breach, Office for Civil Rights data show.

In total, the records of 20,970,222 individuals have been potentially exposed in these major breaches thus far.

The median size of a breach on the list involves the records of 2,184 people; the average is 43,963.

Theft is the most commonly reported breach type (54%), followed by unauthorized access or disclosure (20%), loss (11%), hacking (6%), improper disposal (5%) and other/unknown (4%).

Large medical-records breaches affect nearly 21 million: OCRModern Healthcare (August 1, 2012)

Majority of health care providers have entered electronic age

Over half of U.S. doctors now use electronic medical records, and half of the remainder plan to start in the coming year, a new poll has found.

Via HealthDay:

TUESDAY, July 17 (HealthDay News) -- A majority of U.S. physicians have now adopted an electronic health record system as part of their routine practice, a new national survey reveals.

The finding is based on responses provided by nearly 3,200 doctors across the country who completed a mail-in survey in 2011. The survey was conducted by the U.S. Centers for Disease Control and Prevention's National Center for Health Statistics as part of an ongoing three-year effort (continuing through 2013) designed to assess perceptions and practices regarding electronic health record systems.

Specifically, the poll found that 55 percent of U.S. doctors have embraced some type of electronic health record system. And roughly 75 percent of those who have done so reported that the type of system they took on meets the criteria of playing a "meaningful" role in their practice, according to the terms of 2009 federal legislation (entitled the Health Information Technology for Economic and Clinical Health Act) designed to promote the use of electronic health records.

What's more, 85 percent of those doctors who now have an electronic health record system in place said they are either "somewhat" or "very" satisfied with its day-to-day operations (47 percent and 38 percent, respectively). And three in four said patient care has improved as a result of electronic health record adoption.

The poll also indicated that among those who have yet to embrace an electronic health record system, almost half said they plan to do so in the coming year.

Physician age seems to have played a role in how likely a doctor was to have already brought an electronic health record system into their practice, the findings showed. While 64 percent of those under the age of 50 have done so, the poll revealed that the same was true of only 49 percent among those aged 50 and older.

Office size also seems to matter, with larger physician practices being more likely to have incorporated an electronic health record system into their administrative infrastructure. Specifically, 86 percent of offices with 11 or more physicians on site had taken on such a system, compared with roughly 60 percent to 62 percent of those with two to 10 physicians and just under 30 percent of single-doctor practices.

But although some kinds of specialists (such as surgeons) were somewhat less likely to have implemented an electronic health record system, race, gender and physician location did not seem to play a role in the likelihood that a doctor's office would or would not bring the technology into their workplace.

Eric Jamoom, of the health care statistics division of the U.S. National Center for Health Statistics, and colleagues published their findings July 17 in the NCHS Data Brief.

More information

For more on electronic health records, visit the U.S. National Library of Medicine.

-- Alan Mozes

SOURCE: U.S. Centers for Disease Control and Prevention, news release, July 17, 2012

Copyright © 2012 HealthDay. All rights reserved.

U.S. Doctors Embracing Electronic Health Records: Survey,” HealthDay (July 17, 2012)

Patient-accessible electronic medical records may increase preventive care

Patients increased their preventive care significantly after being given access to their medical records online in a recent study.  These health care consumers’ use of preventive care measures such as cancer screenings, and immunizations, were higher than those of consumers without online access to their EMRs.

Via Reuters:

In a clinical trial at eight primary care practices, researchers found that patients who used such "interactive" health records were more likely to become up-to-date on recommended preventive care.

That included screening tests for breast, colon and cervical cancers, and immunizations like the yearly flu shot.

After 16 months, 25 percent of patients who used the online records were up-to-date on their preventive care - which was double the rate of non-users.

"It's hard to get people to take an active role in their healthcare," said Jesse C. Crosson, an assistant professor at the UMDNJ-Robert Wood Johnson Medical School in Somerset, New Jersey.

So it's "very encouraging" to see some benefits in this study, said Crosson, who was not involved in the work but has studied the impact of electronic health records.

In the U.S., there has been a huge push to get doctors to switch from old-fashioned paper to electronic records. That's because digital records can, among other things, allow doctors, hospitals and other providers to communicate more easily - and hopefully cut down on errors, while getting more patients the tests and treatments they need.

Congress has authorized up to $27 billion in government incentives to get doctors and hospitals to put electronic records to "meaningful use." And by 2015, providers will face penalties if they don't switch.

"Meaningful use" means steps like having up-to-date medication lists for each patient, and electronically prescribing drugs.

But there hasn't been much evidence yet that electronic records are improving Americans' care.

In a recent study of 42 medical practices, Crosson found that switching to digital records did not seem to improve diabetes care. Patients at offices that made the switch were no more likely to be getting recommended tests and treatments than patients whose doctors had stuck with paper records.

But the new study, published in the Annals of Family Medicine, took electronic records a step farther.

Researchers randomly assigned 4,500 primary care patients to either stick with their normal care or have the chance to access personalized health records on a secure Web site,

The system automatically pulled information from patients' electronic records at their doctors' offices, then gave each patient a "tailored list" of preventive services they should get - like cancer screenings and immunizations. It also gave them links to educational materials on those services, and why they're recommended.

"What we tested is a higher level of functionality than exists in current practice," said lead researcher Dr. Alex H. Krist, of Virginia Commonwealth University in Richmond.

And it did seem to make a difference. Overall, patients who used the system were more likely to be up-to-date on their preventive care 16 months later: 25 percent were, which was up from less than 14 percent at the start of the study.

In contrast, there was little change among patients given standard care: Less than 13 percent were up-to-date on preventive care by the study's end, which was up from 11 percent.

The problem, though, was that most people who were offered personalized health records didn't choose to use them.

Of the 2,250 patients offered the chance, only 17 percent had done so 16 months later.

Krist said he thinks that's largely a product of the controlled clinical trial design: People were "invited" by mail to set up online health records, and that may not have cut it.

"We didn't field it in a way that a real medical practice would," Krist said.

If the personal records were actually promoted at the doctor's office, they would probably be more popular, according to Krist.

Crosson agreed that the constraints of the clinical trial were probably an important factor. "Sending something in the mail might not be the best way to get people to go online," he noted.

Right now, the MyPreventiveCare system is in use in 14 U.S. primary care practices. But the researchers are hoping to "field" it in 300 practices over the next couple years. (The system is currently a "non-commercial" product; the research is being funded by the U.S. Agency for Healthcare Research and Quality.)

To work, the personal health records have to be integrated into doctors' existing electronic records systems.

Crosson said he didn't think the logistics of doing that will be the challenging part; instead, he said, the "human factor" might be.

E-records, though, are not going to magically make us healthier.

Krist pointed out that people who used the online records were more likely to get recommended cancer screenings and vaccinations. But they weren't any more motivated to get advice on diet, exercise, smoking or weight loss, if they needed it.

That type of "health behavior change," Krist noted, is more complicated than getting a test or a shot. And people tend to need a lot more help in making those changes.

"Technology alone isn't the fix," he said.

Interactive health records may boost preventive care,” Reuters Health (July 12, 2012)

Health care system mergers slow transition to electronic medical records

The mounting economic challenges and the uncertain regulatory environment ensure that the pace of mergers in the healthcare industry will continue to accelerate, at the same time as the industry is moving into the digital age.  Converting a single health care system from paper to meaningful-use certified electronic medical records (EMR) software is incredibly challenging and time consuming.  However, conducting such transition while two health care entities are merging is more than twice as difficult because the potential for patient-endangering errors is very high, especially while merging non-complementary EMR systems.

Via Wall Street Journal:

Hospitals around the country are finding themselves forced to juggle the demands of moving to electronic health records, just as a wave of mergers disrupts the healthcare industry.

In the latest deal, two of New York’s biggest hospital chains, NYU Langone Medical Center and Continuum Health Partners, agreed to pursue discussions of a merger last week. The potential merger is the latest hospital marriage as healthcare systems around the country seek greater efficiency. Last year, Provena Health agreed to merge with Resurrection Health Care. Ascension Health, the nation’s largest Catholic health system, also agreed in 2011 to join with Alexian Brothers Health System.  A March report from Moody’s said that the pace of hospital mergers will only quicken, as reimbursements from both Medicare and private insurers shrink.

CIOs must handle IT integration of the merged hospitals, just as they are leading a transition to electronic medical records. Around 30% of hospitals have already made the move to electronic medical records, up from just 11% in 2009, according to Dave Garets, executive director of The Advisory Board Company,a medical research firm.

The digital transition enables them to share in federal incentives. As part of President Barack Obama’s 2009 stimulus bill, the federal government offered $19 billion to hospitals and doctors who can demonstrate they are using electronic medical records to write patient histories, order medications and report quality improvements.

The Obama administration hopes that by pushing America’s health system towards electronic records it can slow rising healthcare costs by reducing duplicate tests and human error.

If the merger went through, Mark Moroses, CIO of Continuum, would work with partners at NYU Langone to meld dozens of billing, procurement and patient care systems over the next few years. At the same time he is in the process of moving the chain of hospitals, which includes Beth Israel, St. Luke’s, and Roosevelt, to digital healthcare records. That will allow the chain to claim $20 million to $30 million in government stimulus incentives over the next four years, he told CIO Journal.

Mergers can complicate the transition to electronic records. Hospitals have different technical terms, and methods of documenting care, complicating the migration of data between the two institutions. And because patient health is on the line, there is no room for error, says Moroses.

That level of accuracy requires many test runs before the real migration occurs, with doctors and nurses scrutinizing samples of the transfer to spot out potential mistakes, says Moroses.

In order to claim the government money, Continuum will need to prove that doctors are entering data from patient charts into its GE Centricity record keeping software. Nurses already enter basic information like blood pressure and medication information into wireless computers-on-wheels (or COWs as they’re called), which are brought into patient rooms.

Moroses says even his hospital’s current level of electronic medical record adoption is paying off. Electronic records are eliminating situations in which tests might have been reordered simply because paperwork didn’t transfer to another department. Patient allergy information is instantly available to doctors, because it is digital. And medications are less likely to be delivered to the wrong room or the wrong patient—-a mistake that can prove deadly. “Bad handwriting on prescriptions — I know it’s clichéd but you have a real improvement here,” Moroses said.

Over the next few months, doctors will begin entering longer patient histories, including detailed diagnoses, into the system as well. Moroses is also piloting the use of iPads with a handful of doctors. He’d like 95% of physicians across the hospital system to be using the devices over the next two years.

“The iPad is the first device with a long enough battery life,” Moroses said. “The challenge, so far, is navigating through the patient information on [the iPad’s] smaller screen.”

Moroses said Continuum is also part of a Department of Defense research project, which aims to allow the hospital to use data culled from the records to do predictive analytics. The project, which also includes John Hopkins Medical Center, will allow electronic records to produce alerts when data indicates a patient is at risk, and help researchers watch for trends on how treatments and dosage amounts affect patients.

As Continuum increases its use of electronic records, it will also have to prepare to merge its records with NYU Langone, without reversing the progress it made to secure millions in government grant money.

Moroses does not yet know what steps will go into the integration – the merger has not even been approved yet by government regulators. When it does his orders will come from the business units (“If they tell us to take a hill we’ll take a hill,” he said.)

But the experience of another major hospital chain North Shore-Long Island Jewish Health System, which took over Lenox Hill Hospital in 2010, offers clues.

To receive $8 million in government funding, North Shore chief medical information officer Michael Oppenheim is helping Lenox Hill ramp up its electronic record keeping to the level already in place at some of North Shore’s 12 other hospitals. To reach that goal Oppenheim is migrating Lenox Hill’s data to a newer version of the Allscripts medical record keeping system. (Lenox Hill currently uses an older version made by the same company, which is not on the list of systems the federal government will reimburse.)

While most data will transfer smoothly from one system to another, in some cases terminologies used by two hospitals don’t match. For example, one hospital may call an injury a “chief malady” and the other system may call it a “primary complaint,” complicating the migration.

Oppenheim plans to increase the number of Panasonic Toughbook tablets into Lenox Hill to allow doctors to enter data from patient charts directly into the system. But getting people onboard using the new tools and following a new set of protocols is the toughest part, Oppenheim said.

“You have to explain to the leadership that there is an upside,” Oppenheim said. “You want them to buy in rather than feel this is something coming from corporate. But in the end the fall back is that they don’t have an option of not going this way.”

CORRECTION: NYU Langone Medical Center and Continuum Health Partners agreed to pursue discussions of a merger last week. An earlier version of this article stated that the two hospitals had agreed to merge. Also, Mark Moroses, CIO of Continuum, will work with partners at NYU Langone should the hospitals merge. The earlier version of this article stated that Mark Moroses is already working with those partners.

For Hospital CIOs, Mergers Complicate Move to Electronic Records,” Wall Street Journal (June 13, 2012)

HHS publishes EHR privacy and security guide

The ONC’s Office of the Chief Privacy Officer (OCPO) has published a "Guide to Privacy and Security of Health Information” intended to help healthcare practitioners and their staffs better understand the roles of privacy and security in the meaningful use of electronic health records.

Via Healthcare IT News:

Earlier this spring Healthcare IT News reported the results of a study from HIMSS Analytics and Kroll that showed security breaches are still widespread in healthcare – despite increased attention paid to patient privacy.

The ‘HIMSS Analytics Report: Security of Patient Data,’ suggested that, despite increasingly stringent regulatory activity with regard to reporting and auditing procedures, most providers were prioritizing compliance with the rules over actually bolstering their own organizations' security protocols.

So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.

Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.

The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:

1. Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.

2. Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.

3. Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.

4. Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.

5. Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

6. Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.

7. Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.

8. Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.

9. Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.

10. Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.

Beyond HIPAA and HITECH, ‘ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange,’ the ONC guide notes. ‘If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.




Access the ONC Guide to Privacy and Security of Health Information here.

ONC privacy and security guide offers 10 steps for MU,” Healthcare IT News (May 9, 2012)


HHS issues proposed rules on Stage 2 of Meaningful Use

On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via HHS Press Release:

In a November 2011 'We Can’t Wait' announcement, the Department outlined plans to provide an additional year for providers who attested to meaningful use in 2011. Under today’s proposed rule, stage 1 has been extended an additional year, allowing providers to attest to stage 2 in 2014, instead of in 2013. The proposed rule announced by ONC identifies standards and criteria for the certification of EHR technology, so eligible professionals and hospitals can be sure that the systems they adopt are capable of performing the required functions to demonstrate either stage of meaningful use that would be in effect starting in 2014.

'The proposed rules for stage 2 for meaningful use and updated certification criteria largely reflect the recommendations from the Health IT Policy and Standards Committees, the federal advisory committees that operate through a transparent process with broad public input from all key stakeholders. Their recommendations emphasized the desire to increase health information exchange, increase patient and family engagement, and better align reporting requirements with other HHS programs,' said Farzad Mostashari, MD, ScM, National Coordinator for Health Information Technology. 'The proposed rules announced today will continue down the path stage 1 established by focusing on value-added ways in which EHR systems can help providers deliver care which is more coordinated, safer, patient-centered, and efficient.

The number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011. Eighty-five percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.

A technical fact sheet on CMS’s proposed rule is available at

A technical fact sheet on ONC’s standards and certification criteria proposed rule is available at

The proposed rules announced today may be viewed at Comments are due 60 days after publication in the Federal Register.

Secretary Sebelius announces next stage for providers adopting electronic health records, HHS Press Release (February 24, 2012).

Data mining by hospitals may be profitable, but not risk-free

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free.  Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

The above is certainly not an exhaustive list of all potential issues associated with data mining by healthcare providers and their business partners. But the USA Today article should serve as a good reminder that healthcare providers engaging in such data mining and marketing activities must protect their organizations from liability for damages relating to such data use.

"Hospitals mine patient records in search of customers," USA Today (February 5, 2012).

HHS extends Stage 2 Meaningful Use deadline to 2014

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs).  As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).


Study: Most data breaches are caused by insiders

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).


HHS advisory panel recommends delaying Stage 2 Meaningful Use until 2014

The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014.  If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).

Via Government Health IT:

The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.

The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.

“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.

As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.

You can find and download the Meaningful Use workgroup's recommendations by clicking here.

Updates to privacy and security regulations expected soon

According to, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

  • HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
  • The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
  • Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.


Ms. McAndrew also indicated that "a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records "probably" would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule."

"HITECH Mandated Regs Still in Works," (May 11, 2011).


HealthNet breach affects 1.9 million individuals

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center.  According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people.  As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act.  HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

 Via Modern Healthcare:

Woodland Hills, Calif.-based health insurer Health Net announced Monday that it had lost servers containing personal health information and demographic data for nearly 2 million current and past patients.

The breach, which affects approximately 1.9 million people nationwide, occurred in February. Health Net said it cannot account for server drives missing from a data center in Rancho Cordova, Calif. Those drives contain patients' names, Social Security numbers and sensitive health information. It's not the first time Health Net enrollees have experienced a breach. In 2009, 1.5 million people were affected when a portable hard drive containing patient data went missing.

According to the California Department of Managed Health Care, the breach will affect as many as 845,000 of the state's residents. In a news release, Connecticut Attorney General George Jepsen urged the insurer to provide adequate identity protections for the 25,000 state residents whose data has been compromised.

"Health insurance companies have access to very sensitive and personal information," Jepsen said in the release. “They have a duty to protect that information from unlawful disclosure.”

[In a press release,] Health Net said it would offer two years of credit monitoring and identity protection to affected customers. The insurer also has set up a hotline.


New York City hospitals suffer enormous data breach

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

  • check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;
  • make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;
  • confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and
  • review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.


Via the New York Times:

On Wednesday, the agency started mailing notification letters to the victims, in 17 languages, announcing an information hot line and customer care centers at both hospitals, and offering free credit monitoring and fraud resolution services for one year. Those interested in the offer have 120 days to register. The notification text is also available online.

The hospitals corporation said it had taken “decisive steps to protect the individuals who are potentially affected,” even though there is no evidence the information, contained on computer backup tapes that were being delivered to “a secure storage location,” has been accessed or misused. It also said that the data is stored in a program “that would make it difficult for someone without technical knowledge to access the private information.”

The hospitals corporation has filed suit to hold the vendor, GRM Information Management Services, responsible for covering all damages related to the loss of the data. 

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

GOP bill proposes repeal of HITECH Act

 Via Healthcare IT News:

The Spending Reduction Act of 2011 (H.R. 408), introduced on January 24 by Rep. Jim Jordan (R-Ohio), seeks to reduce federal spending by $2.5 trillion over the coming decade. As it does so, it singles out many federal programs for elimination.

Section 302 of the bill, titled "REPEAL OF CERTAIN STIMULUS PROVISIONS," states that "effective on the date of the enactment of this Act, subtitles B and C of title II and titles III through VII of division B of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5) are repealed, and the provisions of law amended or repealed by such provisions of division B are restored or revived as if such provisions of division B had not been enacted."

Since the Medicare and Medicaid EHR Incentive Programs set up under the ARRA/HITECH Act of 2009 fall under division B, it would appear that the $27 billion earmarked for disbursement to healthcare providers to spurring EHR adoption would fall on the chopping block were the bill to ever pass.

For good measure, Jordan's Republican Study Committee also decrees that the enacted legislation would "further prohibit any FY 2011 funding from being used to carry out any provision of the Democrat government takeover of health care, or to defend the health care law against any lawsuit challenging any provision of the act.


 Of course, the measure has little chance of succeeding, considering it would have to pass the House of Representatives, the Senate, and avoid an almost-certain veto from President Obama. Still, the GOP-backed proposal does add a bit of uncertainty in the market.  

Dave Roberts, vice president of government relations for HIMSS, is less worried about the bill being signed into law than he is about the climate it creates.

The draft has already been referred to 14 different committees in the House, he says, so it's going to be a while before it sees any floor action.

The problem is that it's already "creating confusion in the industry," says Roberts. "We've heard from some CIOs, asking us, 'What is this? We hear the House is going to rescind our money.' It adds to the confusion in the whole marketplace. And providers and hospitals who want to purchase this [technology] are wondering, 'Do I really want to start down this path?'

"We're trying to tell people," he says, "that this process is going on. This is only one body [of Congress]. Don't let this be a concern."

But, Roberts cautions: "We're leading up to the 2012 elections. The Senate's majority is very reduced right now. And if this is a new way of thinking, that could be concerning. So I think that while this particular bill may not pass, it's something that has to be watched closely.

HIMSS has issued a Legislative Action Alert on January 25, 2011. As a strong proponent of the EHR incentives program included in the HITECH Act, there is little doubt that HIMSS will be quite engaged in defending this portion of the stimulus bill.

"GOP-sponsored bill threatens MU funding," Healthcare IT News (January 28, 2011).


Study: Data Breaches Cost U.S. Hospitals Billions

A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals:  on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

  • Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.
  • Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.
  • 71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

 According to the Wall Street Journal's Health Blog:

  • A full 60% of the organizations included in the study had more than two data breaches over the previous two years, at a cost of $2 million per organization.


  • The average breach involved 1,769 lost or stolen records.


  • Senior personnel at the organizations surveyed felt unprepared to prevent or quickly detect breaches. Some 58% of the organizations “have little or no confidence” in the ability of their organization to detect all patient data loss or theft.


  • Patients were the first to detect data breaches, report 41% of the organizations.
  • Most of the respondents have either put in place an electronic medical records system or are in the process of doing so. And 74% of those with an EHR system say it has made data more secure. Another 12% said the system made no difference in security, 10% say it made data less secure and 4% were unsure.

You can read the full study by registering here.

"Study: Data Breaches Cost Hospitals $6 Billion Per Year," WSJ Health Blog (November 9, 2010).


Our column in Government Health IT on RECs and HIT contracts

Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs.  Via Government Health IT:

RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.

With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.

In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.

You can read the full column by clicking here.


Steve Fox interviewed by InformationWeek about EHR contracts

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT  vendors.  In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.


Steve also opined on the reluctance of vendors to promise meeting future regulatory requirements, including the upcoming standards for Stages 2 and 3 of meaningful use:

"We do know there will be new meaningful use requirements for Stage 2 and 3, and it's a moving target. Many vendors are unwilling to agree to future, unknown regulations, saying 'We don't know what we don't know,' but vendors need to remember that providers are paying them a lot of money for support and maintenance to meet those requirements. This is a big area of tension between providers and vendors right now," Fox said.

Finally, Steve offered a few suggestions on some of the critical provisions relating to data access and ownership, as well as safeguarding the privacy and security of protected data:

For those providers adopting software-as-a-service models to outsource their EHRs, Fox recommends that providers restrict vendors from holding data "hostage" and ensure unfettered access to customer data, including protected health information (PHI), on vendors' systems.

He also said providers should insist that vendors routinely back-up data and mandate the return of customer data upon termination of the contract as well as ensure security of data and access to such data if the vendor goes out of business.

With regard to security, Fox said providers need to stress confidentiality of PHI and make clear who owns the data and establish guidelines for the use of data by a vendor. Healthcare providers should also negotiate agreements that include intellectual property issues, obligations of nondisclosure, remedies for breach of patient information, and indemnification obligations.

"Health IT Contracts Offer Little Protection For Buyers," InformationWeek (August 24, 2010).


CMS launches web site for incentive payment programs

CMS launched a very useful Web site,, providing an overview of the Medicaid and Medicare incentive payment programs established by the HITECH Act.  The site provides up-to-date, detailed information and many important links and "fact sheets" about the incentive programs, including overviews of CMS's final rule on meaningful use, the scope of the incentives program, and a Frequently Asked Questions section.  

It is definitely worth saving or bookmarking this site, so that you can check back in easily for regular updates.

Final breach notification rules delayed

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

Ed Shay believes one of the reasons could be the controversy regarding the "harm threshold" element of the rule, which we discussed earlier this year.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.  According to Ed:

Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported--with the inference being that risk of harm has proven too judgment dependent in its implementation.

If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.

You can find HHS's brief press release on the subject by clicking here.

CMS issues final rules on Meaningful Use

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records.  According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

  • Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
  • An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
  • A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
  • CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here.  Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

At the same time, ONC issued another final rule, finalizing the "standards and certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they adopt are capable of performing the required functions."  You can find a copy of this final rule by clicking here.

Stay tuned for much more analysis of the final rules published today, as well as the changes to HIPAA Privacy and Security Rules issued by OCR last week.

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

Major breach at a New York hospital affects over 130,000 patients

Lincoln Medical and Mental Health Center (LMMHC) in New York suffered a major breach affecting 130,495 of its patients, according to a notice provided to HHS.  The breach occurred when the hospital's contractor, Siemens Medical Solutions USA, shipped seven password-protected, but not encrypted, CDs containing patient information via FedEx; and these CDs were subsequently lost in transit.  Via Bloomberg Business Week:

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

<...> Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

LMMHC's breach should serve as a reminder for all healthcare providers currently negotiating health IT contracts to include proper protections in the event its vendor causes a breach or loss of protected data.  This is particularly crucial in the post-HITECH Act era.  

We always include specific compliance with privacy laws warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss.  LMMHC's example clearly illustrates that providers must insist on such protections -- often, over strenuous objections from vendors -- because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"New York hospital loses data on 130,000 via FedEx," Bloomberg Business Week (June 29, 2010).

CMS plans to integrate quality reporting programs under Medicare and HITECH Act

As required in the Patient Protection and Affordable Care Act (PPACA), Center for Medicare and Medicaid Services (CMS) announced this week that it plans to integrate the quality reporting requirements for physicians' Medicare payments with reporting requirements for healthcare providers who achieve meaningful use under the HITECH Act.  Via Healthcare IT News:

Under the Physician Quality Reporting Initiative (PQRI), physicians who participate in Medicare can receive incentives for reporting various quality measures, a select number of which are aimed at those who want to report using EHRs.

Providers who become meaningful users of EHRs, as laid down by the American Recovery and Reinvestment Act (ARRA), will also be eligible for incentive payments. A final rule on that is expected soon.

CMS has requested public comment on how it should integrate the two programs, included within a proposed rule about changes in Medicare physician payments for 2011 CMS expects to publish the proposed rule July 13.

"In an effort to align PQRI with the EHR incentive program, we propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals," the proposed rule says.

Meaningful use measures that physicians could use for PQRI reporting through electronic health records include such things as blood pressure measurement for hypertension, body mass index screening and prevention care follow up, and drugs to be avoided in the elderly, according to CMS.

You can find a copy of the proposed rule here.

"CMS to two align quality reporting programs," Healthcare IT News (June 29, 2010).

Updated: breaches and fines on the rise

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

  • On May 28, 2010, reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information. 
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).

ONC approves Maryland's HIT plan

On June 7, 2010, Maryland's Lt. Governor Anthony Brown announced that the Office of National Coordinator for Health IT approved Maryland's State Health IT plan, allowing the state to move forward to implement a functional health information exchange (HIE).  According to the Washington Business Journal, ONC will release $25 million in ARRA funds to Maryland, to be used in connection with the state's HIE:

Proponents of the exchange say it will cut costs and improve health care quality by streamlining the transfer of electronic health data between hospitals, physicians and patients.

The Chesapeake Regional Information System for our Patients, the nonprofit tasked with implementing the exchange, has already begun work with $10 million in state money. The federal approval leaves the plan's funding "fully unrestricted," said CRISP Program Director Scott Afzal, allowing them to broaden the goals of the exchange and engage more hospitals. Much of their work lies in finding health care providers to sign on to the exchange when there is no state or federal legal requirement to do so, according to Afzal.

'We have to show a value proposition to connect,' he said.

The project is estimated to cost roughly $20 million, although it will be scoped to available funding.


On April 29, 2010, CRISP selected Axolotl Corp. as the vendor for its core HIE platform.  CRISP aims to connect 47 acute care hospitals, 7,900 physicians and ancillary provider sites  after completion.

"Lt. Governor Brown Speaks at Health Information Technology Forum, Touts Federal Recognition of Maryland's Health IT Plan," Press Release from Lt. Governor Brown (June 7, 2010).

"Maryland HIE Picks Platform Vendor," Health Data Management (April 29, 2010).

Allscripts and Eclipsys announce $1.3B merger

Allscripts and Eclipsys announced a $1.3 billion merger, which some analysts tout as a match "made in heaven" due to Allscripts's strength in the ambulatory space and Eclipsys's strength on the acute side.  The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees.  The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues.  However, analysts believe that Allscripts's smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.

Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA.  According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019. 

This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.

"Allscripts-Eclipsys: 'A match made in heaven' - mostly," Healthcare IT News (June 10, 2010).

Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act.  The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much. 

Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

  • 27 percent of the health care organizations had not started and were “barely aware” of what was required;
  • 32 percent of the organizations were waiting for more details;
  • 14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
  • 21 percent of the organizations surveyed were just beginning to act on becoming compliant;
  • 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
  • 57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).


OCR adds investigators to boost security rule enforcement

According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules. 

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).


Definition of "hospital-based eligible professional" amended

Courtesy of the American Health Lawyers Association:

On April 15, 2010, President Barack Obama signed into law the "Continuing Extension Act of 2010" (Public Law 111-157). Section 5 of the Act contains "EHR Clarification" provisions which amend the definition of "hospital based eligible professional" that was created under the American Recovery and Reinvestment Act of 2009 (ARRA). As background, ARRA created incentives for the adoption and meaningful use of certified electronic health record (EHR) technology. However, the ARRA additions to the Social Security Act (42 U.S.C. 1395w-4) contained a limitation providing, in part, that no incentive payments would be made for these hospital-based eligible professionals.

This term was originally defined to include any professional who furnishes substantially all of the relevant services in a hospital "setting (whether inpatient or outpatient)."1 The new EHR Clarification provisions amend the ARRA definition/exclusion to only apply to a professional who furnishes substantially all of the relevant services in a hospital "in-patient or emergency room setting."2 The effect of this amended definition is that physicians practicing in an outpatient hospital setting are not excluded from and are now eligible to participate in the ARRA Medicare/Medicaid incentive programs.


Connecticut radiologist breaches privacy of hundreds reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," (March 31, 2010).

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

  • Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident.  This is twice as many cases as in 2008.  Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
  • In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act.  According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

  • U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.
  • CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," (March 23, 2010).

"As health data goes digital, security risks grow," (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).

Slides from webinar on negotiating "must-have" provisions in HIT contracts

Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry. 

The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:

  • Warranty, limitation of liability and privacy and security provisions in HIT contracts
  • Structuring payments to correspond with certain achievement milestones
  • Acceptance testing procedures
  • Provisions specific to vendor-financing transactions
  • ASP / SaaS models of software licensing

If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.

This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation


OCR delays enforcement of certain HITECH provisions

In a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others.  Via OCR press release:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

You can find about more here.

"HITECH Act Rulemaking and Implementation Update," OCR Press Release (March 18, 2010).

Steve Fox Interviewed on Negotiating EHR Agreements

As if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:

Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.

“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.

“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.


You can read the full article here.

"IT Vendor Negotiations in the ARRA Era," For the Record (February 15, 2010).

Free Webinar: Negotiating "Must-Have" Provisions in HIT Contracts

On Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry. 

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

  • Warranty, limitation of liability and privacy and security provisions in HIT contracts
  • Structuring payments to correspond with certain achievement milestones
  • Acceptance testing procedures
  • Provisions specific to vendor-financing transactions
  • ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation


HHS begins enforcement of breach notification requirements

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above).  The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements.  It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices.  For more information on these matters, please do not hesitate to contact us.

Free Webinar on Meaningful Use: Slides included below

Here are the slides from  our February 25, 2010 Webinar on Meaningful Use.  This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  Steve and I discussed:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at or 202-661-6945.

Thursday: Free Webinar on "Meaningful Use"

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009.  We will discuss:

  • Key policy goals and objectives behind meaningful use
  • Measures required to achieve meaningful use
  • Structure of incentive payments under Medicare and Medicaid
  • Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at or 202-661-6945.


Pritts named first ONC Chief Privacy Officer

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

According to Government Health IT:

Blumenthal said Pritts, who started her job Feb. 16, has extensive experience on all the issues that ONC grapples with. For instance, she was heavily consulted by members of Congress in legislating the HITECH health IT incentive law.

'So she has an understanding of the legislative process and a policy understanding, in addition to having worked for the government previously,' Blumenthal said in answer to a reporter’s question after a meeting of HHS’s Health IT Policy Committee.

'She has a combination of an understanding of government, understanding of the issues, and her legal background is very important – her research and policy qualifications,' he added.

"HHS appoints Joy Pritts chief privacy officer," Government Health IT (February 17, 2010).


Obama administration announces $975M in HIT grants

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs).  HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

According to the Wall Street Journal's Washington Wire blog:

Patient privacy is the top priority,” Health and Human Services Secretary Kathleen Sebelius said. The agency is about to appoint a chief privacy officer, and the government has strengthen [sic] the penalties for negligent security breaches for companies so they reach up to $1 million.

"Electronic Medical Records get a boost," Washington Wire (February 12, 2010).

"Obama awards money for electronic medical records," Associated Press (February 13, 2010).

Rising numbers and costs of data breaches

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.


There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," (January 13, 2010).



Negotiating vendor-financed EMR transactions

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology.   This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use"  incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options.  A complimentary PDF copy of the article is available here.

GE and Siemens provide new financing options for Health IT purchases

On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...>  Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

Back in June of 2009, GE announced its $2 billion commitment as part of its Stimulus Simplicity program. According to the Wall Street Journal, GE, through its GE Capital division, “expects to offer $100 million in interim financing to hospitals and health-care providers for projects that are expected to qualify for funds from the U.S. government's economic-stimulus package. GE said the move offers doctors, community health clinics and hospitals a bridge to qualify for stimulus funds and faster access to electronic medical records.” While the “meaningful use” definition and the EHR certification are not yet finalized, GE guarantees that its EHRs will meet the upcoming requirements, regardless of the details of the final rule. Like IBM’s program, GE’s financing is also restricted specifically for GE Centricity, GE’s EHR product.

On December 24, 2009, GE extended the financing terms available for its Centricity EMR software to other health IT products, including Centricity Enterprise and Centricity Business, a financial and administrative tool for providers.  According to Healthcare IT News:

GE executives say they have seen strong interest in the program, with demand exceeding $140 million in sales opportunities.

In the current economic environment, vendor financing may be the best (if not the only) option for healthcare providers seeking to qualify for incentive payments under ARRA.  However, such  providers should be aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept standard contractual terms and conditions; (2) failing to obtain necessary warranties from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendors’ products fail to achieve certification, or the provider fails to achieve “meaningful use” in a timely manner, as well as a host of other issues. 

These issues are subject of an upcoming article by yours truly, in the Journal of Health Information Management.  We will link to the article when it becomes available online.

"Siemens Unveils Flexible Financing Solutions to Help Providers Achieve Meaningful Use," Fierce Healthcare (December 16, 2009).

"GE expands healthcare IT loan program," Healthcare IT News (December 24, 2009).

"GE Unit Offers Interim Loans to Hospitals, Health-Care Providers" The Wall Street Journal (June 16, 2009), B3.

"G.E. Offers Loans for E-Health Record Purchases," New York Times Bits Blog (June 15, 2009).

Timely advice: Begin preparations for "meaningful use" now

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act. 

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.


Oakes suggests several initial steps to EHR implementation:

  1. Gain a high-level understanding of the basic provisions of ARRA and the HITECH Act.
  2. Develop a realistic plan for your institution based on your assessment of the level of automation that is right for your circumstances, environment, and budget.
  3. Discuss the implementation, transition and any relevant software changes with your current health IT vendor.  Considering the huge increase in demand in HIT services, it is important to secure your vendor's support and involvement early on, so that your organization does not end up at the end of the line.
  4. Know the health IT market because your organization will benefit from having the most customized solution (as opposed to, e.g.,  the most expensive or feature-rich), at the right price.

"Get started!" urges Oakes:

Going through all of these steps will not be accomplished overnight. Indeed, past experience suggests that if a hospital has not started these steps already, it will take from 24 months to 48 months for a mid-sized hospital to transition from planning to live operation, including full use of clinical capabilities. Given that ARRA incentives start phasing down in FY 2013 for physicians (2014 for hospitals), it is not beyond the realm of possibility that an institution that waits too long to start could find itself shut out of maximum incentive payments.

You can find the full article, courtesy of BNA's Health IT Law and Industry Report, here.

CBS News reports on EHR efforts

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

New York Times interviews David Blumenthal

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.


On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.


There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).


Watch CBS News Videos Online

A note of caution about vendor guarantees on "meaningful use"

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS.  In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year.  There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license.  "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential.  Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Of course, such warranties are just the tip of the iceberg.  If meeting "meaningful use" criteria is essential to your healthcare organization, your EMR license agreements should include robust testing and acceptance provisions; vendor warranties regarding meeting major milestones on time; warranties regarding compliance with patient information privacy and security laws; clauses securing your ownership and access to patient data, along with many other significant provisions.

"HITS Beyond: IT vendors say products will meet unknown guidelines," Modern Healthcare (September 28, 2009).

PWC Survey Findings May Support North Shore's EMR Gamble

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records.  Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA. 

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals."  However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data. 

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes.  A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning.  The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data.  Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

The Times implied that with this move, North Shore may be seeking a competitive advantage as well:

Digital links, analysts say, can also tighten the bonds between doctors and the hospital groups that subsidize the computerized records. In most local markets, independent physicians typically have admitting privileges at more than one nearby hospital, and so hospitals compete for doctors as well as patients.

There are, of course, risks associated with the North Shore program, including significant delays or even failure to realize significant savings from the EMR adoptions, or the uncertainty about the privacy and security measures for sharing patient data among affiliated providers.

However, both the North Shore program and the PWC survey findings suggest that the often reluctant physicians are beginning to accept the inevitability of the widespread use of electronic health records, and are trying to capitalize on the many benefits of EMR systems, including potential for improving the quality of care and reducing costs.

According to the Healthcare IT News, the PWC survey found that the "data that could be mined from a health system can improve patient care, predict public health trends and reduce healthcare costs," though "a lack of standards, privacy concerns and technology limitations are holding back progress."  In particular:

  • Nine in 10 healthcare executives believe that the secondary use of health information will significantly improve the quality of patient care and offers the promise of even greater benefits in the future.
  • Nearly two thirds (65 percent) of health organizations say they expect their secondary data use to increase significantly within the next two years.
  • Among organizations already using some form of secondary data, 59 percent have seen quality improvements, 42 percent have achieved cost savings, 36 percent have seen patient/member satisfaction improve and 29 percent have increased revenue.
  • Providers who are not using secondary data say the number one reason is lack of EHR implementation, not because they are opposed to the concept. Health plans are farthest behind in their secondary use of data despite their vast repository of comprehensive claims information from physicians, hospitals, pharmacies and dentists.
  • Ninety percent of pharmaceutical companies have limited or no access to health information contained in electronic health records.
  • Most health organizations that use secondary data do so for their own quality monitoring and reporting and for identifying areas that need quality improvement.

"E-Records Get a Big Endorsement," The New York Times (September 28, 2009).

"Survey: Secondary use of electronic health data will improve care, cut costs," Healthcare IT News (October 1, 2009).

HIT Standards Committee endorses privacy and security standards

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).



HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules."  The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.

"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).

" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Maryland awards $10M for CRISP, a health IT exchange

The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization.  Some of  the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP. 

According to the Baltimore Business Journal:

Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.

The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.

State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.

"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).


New York Times reports on privacy concerns about use of de-identified health information

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).



New York Times reports on the growing threat of medical identity theft

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft.  The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration. 

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft.  The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.


The article continued:

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

The new privacy and security regulations included in the HITECH Act are aimed at increasing protections for privacy of patient information (e.g., new accounting and reporting rules, as well as rules regarding access and accuracy of a patient's record.)  HHS has yet to provide some regulation around such privacy and security requirements. 

Finally, the Federal Trade Commission's "Red Flags Rule" is aimed at preventing medical identity theft.  In fact, one of FTC's suggestions to healthcare organizations for identity theft prevention is to institute a practice of checking patients' ID before providing services to such patients.

"Your Medical Problems Could Include Identity Theft", New York Times (June 12, 2009).


EHR Market to reach $1.6BN in 2013

Healthcare IT News reports that a new study projects that the market for electronic health records related equipment and software will reach $1.6 billion in 2013, which is almost three times more than last year's value.  EHR market was estimated at $575 million in 2008.  ARRA is, of course, the main reason for such a steady rise in market value:

Driven by the growing use of EMRs in hospitals and physician offices, this segment of the patient monitoring market will grow 23.3 percent annually through 2013, notes the report, "High-Tech Patient Monitoring Systems Markets (Remote and Wireless Systems, Data Processing, EMR Data Transfer)."

Increased use of EMRs and high-tech patient monitoring systems is a key piece of President Barack Obama's plan to fix the ailing healthcare system, the report notes, because they have the potential to improve patient outcomes and satisfaction, provide cost savings and more efficient use of healthcare resources and reduce hospitalizations.

Full article here.

"Market for EMRs pegged at $1.6 billion by 2013", Healthcare IT News (June 4, 2009).

NCVHS issues summary of its hearing on "meaningful use"

The National Committee on Vital and Health Statistics (NCVHS) held a public meeting on April 28-29, 2009 in Washington, DC to help define and clarify the term “meaningful use” with respect to such term's use under the HITECH Act.  

NCVHS provided a summary report of  "the themes elaborated upon by the over 100 stakeholders who provided oral and written testimony" during the hearing.  The report is merely a digest of testimony, and does not include commentary or recommendations from NCVHS.

You can find the full report here.

Maryland's new HIT legislation

On May 19, 2009, Governor O'Malley of Maryland signed into law a bill requiring private insurance companies to offer healthcare providers financial incentives to adopt healthcare information technology (HIT), while establishing penalties for those providers who do not bring an electronic medical records system on line by 2015.  According to the Baltimore Sun,

The stimulus money went to Medicare and Medicaid, which are to give it to doctors who adopt electronic medical records. But because Medicare and Medicaid account for less than half of payments to many providers, state Health Secretary John Colmers said, private insurers are now being enlisted to add incentive, beginning in 2011.

The bill allows insurers to choose among several forms of inducement - increased reimbursements, lump-sum payments or in-kind services - so long as it has a monetary value.

"The goal here in Maryland was to assure that all of the payers pull their oars in the same direction," Colmers said. "There is a great promise in electronic health records, but the greatest promise comes when it's done in a coordinated fashion, across all of the payers.

The new law also requires Maryland to develop "a health information exchange, a computer network that would link all of Maryland's physicians, hospitals, medical laboratories and pharmacies. It could be linked with those of other states to create [a] national network."

"Bill pushes doctors to computerize records", The Baltimore Sun, May 19, 2009.

Maryland General Assembly HB706 "Electronic Health Records - Regulation and Reimbursement"

HHS releases Recovery Act Implementation Plans

On May 15, 2009, the U.S. Department of Health and Human Services (HHS) released Recovery Act implementation plans:

HHS is moving quickly and carefully to award Recovery Act funds in an open and transparent manner that will achieve the objectives of each ARRA program. Implementation plans provide detailed information regarding the goals, funding, contracts competition, contract type, and accountability mechanisms.

HHS and the Office of National Coordinator for Health IT (ONC) released two such implementation plans aimed specifically at accelerating the adoption of health information technology pursuant to the HITECH Act:  the Recovery Act Implementation Plan for Medicare and Medicaid incentives, and the accompanying Implementation Plan from the ONC.

Washington Post examines HIMSS role in securing HIT stimulus funding

The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill.  Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort.  According to the Post:

[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.

You can read the whole article here.

Steve Fox featured in For the Record's May 2009 Cover Story

Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly  magazine for health information management professionals, regarding the incentives and challenges of EHR adoption.  On incentives included in the HITECH Act, Steve argued that:

“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”

Steve also identified interoperability as a crucial goal for EHR systems:

“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”

You can read the full article here.

This just in: New HHS guidance about securing protected information

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

  • After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom".  Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids.  (, via AP, March 30, 2009.)
  • Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill.  Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)
  • A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses.  This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary.  (, March 30, 2009.)
  • Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use.  (Healthcare IT News, March 30, 2009).


Debate on EHR Savings Rages at Harvard

A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology.  In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually.   Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."  

However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology.  In part, Drs. Halamka, Bates and Middleton claim that:

The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.


Separately, Stephen B. Soumerai, a Harvard Medical School professor (with a University of Alberta co-author, Sumit R. Majumdar) published an Op-Ed in the Washington Post supporting the Groopman/Hartzband claim that EHR technology is not going to produce the promised mass savings because major studies

have found that electronic records with computerized decision support did not result in a single improvement in any measure of quality of care for patients with chronic conditions including heart disease and asthma.

Soumerai and Majumdar sadly concluded that "a $50 billion investment in health information technology won't do much for many Americans." 

This did not go unnoticed by Halamka and the EHR enthusiasts, Drs. Bates and Middleton.  Their response in another Letter to the Editor (this time, in the Washington Post), systematically deconstructed Soumerai and Majumdar's conclusions, reinforcing the theme articulated by Halamka, Bates and Middleton in the Wall Street Journal:  bad implementation can lead to bad results; EHRs are the way of the future, and the focus should be on how to improve quality of care, not whether to implement EHR technology.  The Letter to the Editor also cited specific examples of savings produced by successful adoption of EHR technology:

a detailed case study of the cost and quality benefits of EHR at Family Care of Concord, NH found net benefits per clinician per year of $30,324. Another study of hospital-based provider order entry identified net savings of $1.7 million per year from drug dosing guidance, nursing time utilization, and error prevention.

While the fight continues at Harvard, there is some positive news from Wall Street.  The Wall Street Journal reports that the HIT funding included in the stimulus appears to boost stock prices of certain HIT vendors, including Quality Systems Inc. (QSII), Athenahealth Inc. (ATHN) and Allscripts-Misys Healthcare Solutions Inc. (MDRX).  Thus, it appears the stimulus is working for someone.  Let's hope the EHR enthusiasts at Harvard are correct, and that we will all benefit from lower-costs, increased efficiency and higher-quality health care as a result of nationwide EHR adoption.

"Obama's $80 Billion Exaggeration", Wall Street Journal, March 11, 2009.
"Bad Bet on Medical Records", The Washington Post, March 17, 2009.
"Health IT Push Helps Physician Practice Software Stocks", Wall Street Journal, March 23, 2009.

Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers.  The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site

In Part I and Part II of the interview, Steve and Ed discuss the incentives for hospitals and physician practices included in the HITECH Act; new regulations to be promulgated by HHS Secretary under this Act; and what actions hospitals and physician practices should be considering at this time in order to qualify for the incentive payments under the Act.

Part III is coming soon, and we will update this entry when it is published on 

UPDATED: ARRA Includes Major Changes to Healthcare Privacy Law

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

  • New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
  • Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

  • State Attorneys General may now bring state actions to enforce HIPAA, seeking statutory damages and attorneys’ fees for violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights within HHS.
  • The Act restricts a covered entity’s right to refuse an individual’s request not to use or disclose PHI if: (i) disclosure is to a health plan for carrying out payment or health care operations (not for treatment); and (ii) the PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” Previously, the covered entity was not required to agree to such requested restrictions.
  • The Act requires a covered entity using or disclosing PHI, or requesting PHI from another covered entity, to limit “to the extent practicable” disclosure of PHI to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively.” Depending upon the forthcoming guidance from HHS (due within 18 months), this may require considerable education, training and additional resources necessary to implement this new requirement.
  • The Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. When this becomes effective (which depends on when an EHR is acquired), all such disclosures must be accounted for if the disclosure was made “through” an EHR. However, the right to disclosures only applies to the 3 years prior to the date on which the accounting is requested, rather than the 6 years currently permitted under HIPAA.
  • Covered entities and business associates will be prohibited from receiving remuneration in exchange for any PHI of an individual without first obtaining an authorization from such individual (subject to certain exceptions). The authorization must specify whether the original receiver of PHI may further exchange it for remuneration. This will go into effect in approximately 24 months after ARRA’s enactment.
  • A covered entity that “maintains” an EHR is required to produce a copy of a patient’s PHI in electronic format upon an individual’s request, and if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual. A fee for such service may not be greater than the covered entity’s labor costs in responding to the request for the copy.
  • The Act imposes new restrictions on covered entities’ and business associates’ marketing communications to potential buyers or users of their products. This is also subject to certain exceptions and qualifications depending on the purpose of the communications and whether any payments are involved.

HITECH Act Will Benefit Higher-Ed Institutions

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

  • a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
  • a graduate school of nursing or physician assistant studies;
  • a consortium of two or more schools described above; or
  • an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.


However, the Act imposes two major limitations: (1) Applicant schools must contribute at least 50 percent of the funding (unless such co-payment would be detrimental to the program due to national economic conditions, in which case upon notification to Congress such cost-share arrangement may be waived); and (2) Eligible schools cannot use amounts received under this program to purchase hardware, software, or services. These funds are meant exclusively for adapting the school’s curricula to the new technology, and may mean that school may not use HHS funds to hire consultants to develop such programs for them.

The Act also authorizes HHS to assist all education institutions in establishing or expanding health informatics programs. Schools may receive federal assistance to develop and implement HIT curricula, courses and certification programs; recruit students; acquire necessary equipment (and installation of such equipment); and establish or enhance bridge programs between community colleges and universities. Priority will be given to existing education programs and programs designed to be completed in six months. However, as noted above, eligible programs must contribute at least 50% of the funding, subject to the economic conditions exception described in the above paragraph.

HITECH Act Will Benefit Physician Practices

Physician practices are eligible to receive up to $44,000 per physician for meaningful use of certified EHR technology (as described here*):

  • Up to $18,000 for the first year (dropping to $15,000 if first year is not 2011 or 2012); $12,000 for the second year; $ $8,000 in year 3, $4,000 in year 4 and $2,000 in year 5.  (See table after the jump.)
  • There will be no incentive payments for practices establishing their meaningful EHR use after 2014 (e.g., beginning 2015).
  • Meaningful EHR use by physicians will be further defined by regulations, but at a minimum, includes the use of e-prescribing and participation in “the electronic exchange of health information to improve the quality of health care, such as promoting care coordination,” i.e., HIEs or RHIOs.
  • For the electronic exchange of health information to improve the quality of health care, such as promoting care coordination.
  • There is a 10% premium for physicians with practices in under-serviced areas.
  • However, if a physician practice does not achieve meaningful EHR status by 2015, Medicare reimbursement fees will be reduced by 1% in 2015, 2% in 2016, 3% in 2017 and beyond; and the Secretary will have the right to reduce fees by 5% starting in 2018 for those practices where meaningful EHR use is under 75%.


In lieu of Medicare reimbursements, certain physician practices may be also eligible to receive for up to $65,000 in Medicaid reimbursement payments if they achieve standards of meaningful use similar to the Medicare requirement.

  • States will reimburse up to 85% of the cost of implementation of EHR, possibly starting in 2011, but starting no later than 2016, with 2021 being the final year for Medicaid reimbursements.
  • First year’s payment is capped at $25,000 and may include reimbursed costs associated with purchase, implementation or upgrade of EHR technology, or, if provider achieves the meaningful user status, costs incurred if EHR technology is already implemented.
  • Subsequent annual reimbursements will not exceed $10,000 per annual payment, and are intended to cover costs of operation and maintenance of EHR technology.

 * Physicians, unlike hospital systems, are specifically required to demonstrate the use of e-prescribing as part of their EHR use.


UPDATED: HITECH Act will Benefit Hospitals

Each eligible hospital (a “subsection (d) hospital,” as defined under 42 U.S.C. §1395ww(d)(1)(B)) which does not include psychiatric hospitals, rehabilitation hospitals, children’s hospitals or long term care hospitals) that achieves "meaningful" EHR use may qualify to receive from Medicare an amount equal to the product of the following formula:

Initial Amount
($2 million plus additional amounts calculated in accordance with each hospital’s Medicare discharges)


Medicare Share
(roughly, a hospital’s share of Medicare discharges over total discharges)


Transition Factor:

Year 1 – 100%
Year 2 – 75%
Year 3 – 50%
Year 4 – 25%
Year 5 – 0%

“Meaningful users” are hospitals or physician practices able to demonstrate that one’s EHR technology is connected in a way that improves the quality of health care through reported results on clinical quality and other measures selected by the Secretary. Meaningful EHR use includes quality reporting and may be demonstrated by attestation, survey response, appropriate claims or quality reporting, or such other manner as the Secretary specifies.  Of course, the question remains as to how HHS will define “meaningful” use, and we will just have to wait until the end of this year to find out. The concern is that if HHS raises the bar too high, it will exclude hospitals who will be unable to achieve it within a reasonable time.


“Certified EHR technology” will be technology that is certified by an independent body recognized by the Secretary as meeting standards for such technology established by the Secretary by rulemaking before Dec. 31, 2009.

Hospitals can receive both Medicare and Medicaid incentives (calculations for the latter are linked to Medicaid discharges). The Medicaid portion can be accelerated (50% in one year or 90% in two years).  Also, Medicaid incentives are not restricted to subsection (d) hospitals. Thus, for example, although a children’s hospital does not qualify for Medicare incentive payments, its Medicaid incentives may produce a much higher amount of reimbursements.

Some calculations indicate that the maximum combined Medicare and Medicaid payments may total up to $11 million, while $6 million to $8 million payments should be more typical. Below is a sample breakdown* of reimbursement payments (from both Medicare and Medicaid) for hospitals under the Act:


Hospitals may also receive additional aid from the federal government if they participate in HHS’s health information technology extension program. At the heart of the program, the newly established HIT Research Center (“Center”) will provide technical assistance and disseminate best practices to support and accelerate efforts to implement and operate healthcare information technology in accordance with the standards, specifications and certification criteria to be established under the Act. As part of its duties, the Center will

  • provide a forum for the exchange of knowledge and experience;
  • accelerate the transfer of lessons learned;
  • analyze and disseminate evidence and experience;
  • provide technical assistance to regional and local information exchanges;
  • develop solutions for barriers to the electronic exchange of information; and
  • develop effective strategies for the use of HIT in medically underserved communities.

On a more local level, Regional Extension Centers (REC) will provide technical assistance and disseminate best practices learned from the Center to aid and accelerate implementation and use of HIT. Each REC must be affiliated with one or more nonprofit organizations. Support will be available for up to four years of funding aimed to cover up to 50% of each REC’s capital and operating expenses.

In making its funding decisions, HHS will consider the REC applicant's ability to provide assistance and utilize technology appropriate to the needs of particular categories of health care providers; the types of services the proposed REC will provide to health care providers; the geographical diversity and extent of the proposed REC’s service area; and the percentage of funding and amount of in-kind commitment from other sources the REC applicant can secure.

Public, nonprofit and critical access hospitals, community health centers, individual or small practices and entities that serve the uninsured and underinsured, as well as medically underserved persons, will be given priority in receiving assistance. In less than 90 days, HHS will produce a description of the extension program, including a detailed explanation of the program and the programs goals; procedures to be followed by the REC applicants; criteria for determining qualified REC applicants; and the maximum support levels expected to be available to REC’s under the program.