: HITECH : Health IT Law Blog

Free Webinar: Negotiating "Must-Have" Provisions in HIT Contracts

Posted on March 9, 2010 by Steve Fox and Vadim Schick

On Thursday, March 18, 2010 from 1:00PM to 2:00PM (EST), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HITECH, HITECH Act, Meaningful use, Privacy & Security, contract, law, license, meaningful use definition, meaningful use regulations, negotiation

HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial "harm threshold" to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above). The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements. It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices. For more information on these matters, please do not hesitate to contact us.

Free Webinar on Meaningful Use: Slides included below

Posted on February 24, 2010 by Vadim Schick

Here are the slides from our February 25, 2010 Webinar on Meaningful Use. This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. Steve and I discussed:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, Federal Register meaningful use, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News, Privacy & Security, federal register, incentive payments, meaingful use

Thursday: Free Webinar on "Meaningful Use"

Posted on February 22, 2010 by Vadim Schick

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. We will discuss:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, Medicaid, Medicare, News, Privacy & Security, electronic health records, electronic medical records, free webinar, incentive payments, meaningful use definition, meaningful use regulations, webinar

Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law. She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

According to Government Health IT:

Blumenthal said Pritts, who started her job Feb. 16, has extensive experience on all the issues that ONC grapples with. For instance, she was heavily consulted by members of Congress in legislating the HITECH health IT incentive law.

'So she has an understanding of the legislative process and a policy understanding, in addition to having worked for the government previously,' Blumenthal said in answer to a reporter’s question after a meeting of HHS’s Health IT Policy Committee.

'She has a combination of an understanding of government, understanding of the issues, and her legal background is very important – her research and policy qualifications,' he added.

"HHS appoints Joy Pritts chief privacy officer," Government Health IT (February 17, 2010).

Tags: ARRA, Articles, Blumenthal, HIPAA, HITECH, HITECH Act, News, ONC, Pritts, Privacy & Security, chief privacy officer, office of national coordinator, privacy

Obama administration announces $975M in HIT grants

Posted on February 16, 2010 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs). HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

According to the Wall Street Journal's Washington Wire blog:

Patient privacy is the top priority,” Health and Human Services Secretary Kathleen Sebelius said. The agency is about to appoint a chief privacy officer, and the government has strengthen [sic] the penalties for negligent security breaches for companies so they reach up to $1 million.

"Electronic Medical Records get a boost," Washington Wire (February 12, 2010).

"Obama awards money for electronic medical records," Associated Press (February 13, 2010).

Tags: ARRA, Articles, EHR, EMR, HIE, HITECH, HITECH Act, News, Privacy & Security, Regional Extension center, Sebelius, grant, health information exchange, training

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:

Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat: "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months." According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."

Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches." The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:

According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members. $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act]. <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data. The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records." Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).

Tags: ARRA, Articles, BCBS, HITECH, HealthNet, News, Privacy & Security, Privacy and Security, breach, credit, data breach, hacking, health information, malware, monitoring, notification, privacy, security

Negotiating vendor-financed EMR transactions

Posted on January 15, 2010 by Vadim Schick

Ingenix, the technology unit of United Health Group, and Allscripts-Misys Healthcare Solutions joined Siemens, GE Healthcare and IBM in offering financing for purchasers of electronic medical record technology. This continues the trend of vendors offering interest-free financing until healthcare providers receive the "meaningful use" incentive payments or reimbursements under the HITECH Act.

While such offers may provide a solution to some of the credit and financing woes facing the healthcare industry, healthcare providers should be acutely aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept their standard contractual terms and conditions, rather than engaging in full-blown contract negotiations, because vendors have much more leverage if they are also the creditor in the transaction; (2) failing to obtain necessary warranties and representations from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendor’s product fails to achieve applicable certification (e.g., CCHIT), is not “accepted” by the provider after completion of acceptance testing or the product does not enable the provider to achieve “meaningful use” in a timely manner, as well as a host of other issues.

Steve Fox and yours truly explore the issues around vendor financing of EHR system purchases in the latest issue of the Journal of Health Information Management, where we suggest recommended courses of action for healthcare providers considering acquiring HIT systems, including EMRs, by using vendor financing options. A complimentary PDF copy of the article is available here.

Tags: ARRA, Articles, EHR, EMR, GE, HITECH, HITECH Act, Ingenix, JHIM, News, Siemens, agreement, contract, finance, incentive payments, loan, negotiating, negotiation, vendor-financed, zero-interest

GE and Siemens provide new financing options for Health IT purchases

Posted on December 29, 2009 by Steve Fox and Vadim Schick

On the eve of HHS releasing the much-anticipated definition of "meaningful use," health IT divisions of GE and Siemens revealed new financing options for purchases of their EMR and other HIT products.

On December 16, 2009, Siemens followed IBM and GE in offering "a series of flexible financing solutions to help healthcare providers pursue meaningful use objectives and meet [HITECH Act] deadlines <...> Featuring zero-percent interest terms for qualified customers, the solutions enable organizations to defer up-front payments associated with their technology investment while meeting criteria for future government incentive monies."

According to Fierce Healthcare:

To provide the greatest possible range of choices for customers, Siemens offers solutions from Siemens Financial Services, Inc. as well as from selected partners, including IBM Global Financing and 3-D Financial Services. These options allow customers to choose a customized financing solution that matches their individual technology acquisition roadmaps, business strategies, financial profiles, and technology needs. <...>

By bridging the gap between the project implementation and the receipt of ARRA incentive, Siemens will be providing its customers an option which allows them to optimize their cash flow while maximizing return on investment.

Back in June of 2009, GE announced its $2 billion commitment as part of its Stimulus Simplicity program. According to the Wall Street Journal, GE, through its GE Capital division, “expects to offer $100 million in interim financing to hospitals and health-care providers for projects that are expected to qualify for funds from the U.S. government's economic-stimulus package. GE said the move offers doctors, community health clinics and hospitals a bridge to qualify for stimulus funds and faster access to electronic medical records.” While the “meaningful use” definition and the EHR certification are not yet finalized, GE guarantees that its EHRs will meet the upcoming requirements, regardless of the details of the final rule. Like IBM’s program, GE’s financing is also restricted specifically for GE Centricity, GE’s EHR product.

On December 24, 2009, GE extended the financing terms available for its Centricity EMR software to other health IT products, including Centricity Enterprise and Centricity Business, a financial and administrative tool for providers. According to Healthcare IT News:

GE executives say they have seen strong interest in the program, with demand exceeding $140 million in sales opportunities.

In the current economic environment, vendor financing may be the best (if not the only) option for healthcare providers seeking to qualify for incentive payments under ARRA. However, such providers should be aware of the many potential pitfalls and related issues inherent in vendor-financed deals, including: (1) additional pressure from vendors to accept standard contractual terms and conditions; (2) failing to obtain necessary warranties from vendors that their systems will comply with all relevant requirements under ARRA and the HITECH Act and will permit the provider to achieve meaningful use; (3) dealing with problems that may arise if either the vendors’ products fail to achieve certification, or the provider fails to achieve “meaningful use” in a timely manner, as well as a host of other issues.

These issues are subject of an upcoming article by yours truly, in the Journal of Health Information Management. We will link to the article when it becomes available online.

"Siemens Unveils Flexible Financing Solutions to Help Providers Achieve Meaningful Use," Fierce Healthcare (December 16, 2009).

"GE expands healthcare IT loan program," Healthcare IT News (December 24, 2009).

"GE Unit Offers Interim Loans to Hospitals, Health-Care Providers" The Wall Street Journal (June 16, 2009), B3.

"G.E. Offers Loans for E-Health Record Purchases," New York Times Bits Blog (June 15, 2009).

Tags: 0%, ARRA, Articles, Centricity, EHR, EMR, GE, HITECH, HITECH Act, Meaningful use, News, Siemens, financing, incentive payments, meaningful use definition

Timely advice: Begin preparations for "meaningful use" now

Posted on November 12, 2009 by Steve Fox and Vadim Schick

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act.

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.

Oakes suggests several initial steps to EHR implementation:

Gain a high-level understanding of the basic provisions of ARRA and the HITECH Act.
Develop a realistic plan for your institution based on your assessment of the level of automation that is right for your circumstances, environment, and budget.
Discuss the implementation, transition and any relevant software changes with your current health IT vendor. Considering the huge increase in demand in HIT services, it is important to secure your vendor's support and involvement early on, so that your organization does not end up at the end of the line.
Know the health IT market because your organization will benefit from having the most customized solution (as opposed to, e.g., the most expensive or feature-rich), at the right price.

"Get started!" urges Oakes:

Going through all of these steps will not be accomplished overnight. Indeed, past experience suggests that if a hospital has not started these steps already, it will take from 24 months to 48 months for a mid-sized hospital to transition from planning to live operation, including full use of clinical capabilities. Given that ARRA incentives start phasing down in FY 2013 for physicians (2014 for hospitals), it is not beyond the realm of possibility that an institution that waits too long to start could find itself shut out of maximum incentive payments.

You can find the full article, courtesy of BNA's Health IT Law and Industry Report, here.

Tags: ARRA, Act, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, News, electronic health records, incentive payments, meaningful use definition, vendor

CBS News reports on EHR efforts

Posted on October 21, 2009 by Steve Fox and Vadim Schick

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S.

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

Tags: 2012, 2015, ARRA, Act, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, News, electronic, health, incentive, payments, privacy, records, reimbursements, security

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.

<...>

There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).

Watch CBS News Videos Online

Tags: 2012, 2015, ARRA, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, HITECH Act, News, Privacy & Security, electronic health records, incentive payments, privacy, reimbursements, security

A note of caution about vendor guarantees on "meaningful use"

Posted on October 5, 2009 by Steve Fox and Vadim Schick

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS. In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year. There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license. "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential. Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Of course, such warranties are just the tip of the iceberg. If meeting "meaningful use" criteria is essential to your healthcare organization, your EMR license agreements should include robust testing and acceptance provisions; vendor warranties regarding meeting major milestones on time; warranties regarding compliance with patient information privacy and security laws; clauses securing your ownership and access to patient data, along with many other significant provisions.

"HITS Beyond: IT vendors say products will meet unknown guidelines," Modern Healthcare (September 28, 2009).

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, Privacy & Security, guarantee, incentive payments, meaingful use, warranties, warranty

PWC Survey Findings May Support North Shore's EMR Gamble

Posted on October 5, 2009 by Steve Fox and Vadim Schick

The New York Times reported last week that the North Shore-Long Island Jewish Health System (North Shore) will offer its 7,000 affiliated (though not employed by North Shore) physicians subsidies for implementing electronic health records. Interestingly, this subsidy does not include or prevent such physicians from qualifying for the approximately $44,000 in Medicare incentive payments under ARRA.

North Shore plans to subsidize 50% of the total cost of the EMR system (which uses Dell hardware and Allscripts software) for practices "who simply install electronic health records that can communicate between the doctor's office, labs and hospitals." However, the health system will subsidize 85% of the total cost of the EMR -- a figure driven, no doubt, by the exceptions to the Stark and Anti-Kickback laws -- for physicians willing to share some of their patient data.

North Shore is counting on the availability of shared data to reduce the cost of care through reduction of unnecessary tests and medical mistakes. A recent PriceWaterhouseCoopers (PWC) survey may support North Shore's reasoning. The survey found broad agreement among healthcare executives with respect to secondary uses of EMR patient data. Among other findings (discussed after the jump), the PWC survey found that 42% of organizations already using some form of secondary data use achieved cost savings, 29% increased their revenue, and 59% saw improvements in quality of care.

The Times implied that with this move, North Shore may be seeking a competitive advantage as well:

Digital links, analysts say, can also tighten the bonds between doctors and the hospital groups that subsidize the computerized records. In most local markets, independent physicians typically have admitting privileges at more than one nearby hospital, and so hospitals compete for doctors as well as patients.

There are, of course, risks associated with the North Shore program, including significant delays or even failure to realize significant savings from the EMR adoptions, or the uncertainty about the privacy and security measures for sharing patient data among affiliated providers.

However, both the North Shore program and the PWC survey findings suggest that the often reluctant physicians are beginning to accept the inevitability of the widespread use of electronic health records, and are trying to capitalize on the many benefits of EMR systems, including potential for improving the quality of care and reducing costs.

According to the Healthcare IT News, the PWC survey found that the "data that could be mined from a health system can improve patient care, predict public health trends and reduce healthcare costs," though "a lack of standards, privacy concerns and technology limitations are holding back progress." In particular:

Nine in 10 healthcare executives believe that the secondary use of health information will significantly improve the quality of patient care and offers the promise of even greater benefits in the future.

Nearly two thirds (65 percent) of health organizations say they expect their secondary data use to increase significantly within the next two years.

Among organizations already using some form of secondary data, 59 percent have seen quality improvements, 42 percent have achieved cost savings, 36 percent have seen patient/member satisfaction improve and 29 percent have increased revenue.

Providers who are not using secondary data say the number one reason is lack of EHR implementation, not because they are opposed to the concept. Health plans are farthest behind in their secondary use of data despite their vast repository of comprehensive claims information from physicians, hospitals, pharmacies and dentists.

Ninety percent of pharmaceutical companies have limited or no access to health information contained in electronic health records.

Most health organizations that use secondary data do so for their own quality monitoring and reporting and for identifying areas that need quality improvement.

"E-Records Get a Big Endorsement," The New York Times (September 28, 2009).

"Survey: Secondary use of electronic health data will improve care, cut costs," Healthcare IT News (October 1, 2009).

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, North Shore, PWC, electronic health records, secondary data, secondary use

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act. Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology." Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.” The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

Tags: ARRA, Articles, HIPAA, HIT, HIT Standards Committee, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, incentive, incentive payments, privacy, security

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules." The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.

"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).

" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, Privacy & Security, Recovery Act, breach, breach notification, breach notification requirements, privacy

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Posted on August 18, 2009 by Steve Fox and Vadim Schick

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Tags: ARRA, Articles, CCHIT, Certified EHR, EHR, HHS, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security

Maryland awards $10M for CRISP, a health IT exchange

Posted on August 13, 2009 by Steve Fox and Vadim Schick

The State of Maryland awarded $10 million to support the Chesapeake Regional Information System for our Patients (CRISP), a newly created health information technology exchange organization. Some of the biggest players in Maryland's health care industry, including Johns Hopkins, MedStar and the University of Maryland Medical System are going to participate in CRISP.

According to the Baltimore Business Journal:

Funding will come from the hospitals that will receive a slight increase in the prices they can charge patients and federal stimulus money.

The news comes as health care officials and lawmakers champion electronic medical records as a way of reducing health care costs. They argue that electronic medical records will reduce costs by hopefully eliminating unnecessary tests and reducing errors by allowing doctors to quickly access patients’ medical records.

State health insurers plan to provide incentives to hospitals, which include a lump sum payment or increased reimbursement, to adopt electronic health records.

"Maryland awards $10M for health IT exchange," Baltimore Business Journal (August 5, 2009).

Tags: ARRA, CRISP, HIE, HIT, HITECH, HITECH Act, Johns Hopkins, MedStar, News, RHIO, Stimulus, exchange, health information exchange

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes. While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law. <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates: the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy." According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up." Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products. However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter. This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).

Tags: ARRA, EHR, EHRs, Google, GoogleHealth, HIPAA, HITECH, HITECH Act, News, PHR, PHRs, Privacy & Security, privacy

New York Times reports on the growing threat of medical identity theft

Posted on June 12, 2009 by Steve Fox and Vadim Schick

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft. The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration.

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft. The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

The article continued:

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

The new privacy and security regulations included in the HITECH Act are aimed at increasing protections for privacy of patient information (e.g., new accounting and reporting rules, as well as rules regarding access and accuracy of a patient's record.) HHS has yet to provide some regulation around such privacy and security requirements.

Finally, the Federal Trade Commission's "Red Flags Rule" is aimed at preventing medical identity theft. In fact, one of FTC's suggestions to healthcare organizations for identity theft prevention is to institute a practice of checking patients' ID before providing services to such patients.

"Your Medical Problems Could Include Identity Theft", New York Times (June 12, 2009).

Tags: Articles, HITECH, News, Privacy & Security, identity, medical, privacy, security, theft

EHR Market to reach $1.6BN in 2013

Posted on June 4, 2009 by Steve Fox and Vadim Schick

Healthcare IT News reports that a new study projects that the market for electronic health records related equipment and software will reach $1.6 billion in 2013, which is almost three times more than last year's value. EHR market was estimated at $575 million in 2008. ARRA is, of course, the main reason for such a steady rise in market value:

Driven by the growing use of EMRs in hospitals and physician offices, this segment of the patient monitoring market will grow 23.3 percent annually through 2013, notes the report, "High-Tech Patient Monitoring Systems Markets (Remote and Wireless Systems, Data Processing, EMR Data Transfer)."

Increased use of EMRs and high-tech patient monitoring systems is a key piece of President Barack Obama's plan to fix the ailing healthcare system, the report notes, because they have the potential to improve patient outcomes and satisfaction, provide cost savings and more efficient use of healthcare resources and reduce hospitalizations.

Full article here.

"Market for EMRs pegged at $1.6 billion by 2013", Healthcare IT News (June 4, 2009).

Tags: ARRA, Act, Articles, HITECH, HITECH Act, News

NCVHS issues summary of its hearing on "meaningful use"

Posted on May 28, 2009 by Steve Fox and Vadim Schick

The National Committee on Vital and Health Statistics (NCVHS) held a public meeting on April 28-29, 2009 in Washington, DC to help define and clarify the term “meaningful use” with respect to such term's use under the HITECH Act.

NCVHS provided a summary report of "the themes elaborated upon by the over 100 stakeholders who provided oral and written testimony" during the hearing. The report is merely a digest of testimony, and does not include commentary or recommendations from NCVHS.

You can find the full report here.

Tags: ARRA, Act, Articles, HITECH, HITECH Act, meaningful, use

Maryland's new HIT legislation

Posted on May 20, 2009 by Steve Fox and Vadim Schick

On May 19, 2009, Governor O'Malley of Maryland signed into law a bill requiring private insurance companies to offer healthcare providers financial incentives to adopt healthcare information technology (HIT), while establishing penalties for those providers who do not bring an electronic medical records system on line by 2015. According to the Baltimore Sun,

The stimulus money went to Medicare and Medicaid, which are to give it to doctors who adopt electronic medical records. But because Medicare and Medicaid account for less than half of payments to many providers, state Health Secretary John Colmers said, private insurers are now being enlisted to add incentive, beginning in 2011.

The bill allows insurers to choose among several forms of inducement - increased reimbursements, lump-sum payments or in-kind services - so long as it has a monetary value.

"The goal here in Maryland was to assure that all of the payers pull their oars in the same direction," Colmers said. "There is a great promise in electronic health records, but the greatest promise comes when it's done in a coordinated fashion, across all of the payers.

The new law also requires Maryland to develop "a health information exchange, a computer network that would link all of Maryland's physicians, hospitals, medical laboratories and pharmacies. It could be linked with those of other states to create [a] national network."

"Bill pushes doctors to computerize records", The Baltimore Sun, May 19, 2009.

Maryland General Assembly HB706 "Electronic Health Records - Regulation and Reimbursement"

Tags: Articles, HIT, HITECH, HITECH Act, Incentives, Maryland, News

HHS releases Recovery Act Implementation Plans

Posted on May 20, 2009 by Steve Fox and Vadim Schick

On May 15, 2009, the U.S. Department of Health and Human Services (HHS) released Recovery Act implementation plans:

HHS is moving quickly and carefully to award Recovery Act funds in an open and transparent manner that will achieve the objectives of each ARRA program. Implementation plans provide detailed information regarding the goals, funding, contracts competition, contract type, and accountability mechanisms.

HHS and the Office of National Coordinator for Health IT (ONC) released two such implementation plans aimed specifically at accelerating the adoption of health information technology pursuant to the HITECH Act: the Recovery Act Implementation Plan for Medicare and Medicaid incentives, and the accompanying Implementation Plan from the ONC.

Tags: ARRA, Articles, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News

Washington Post examines HIMSS role in securing HIT stimulus funding

Posted on May 18, 2009 by Steve Fox and Vadim Schick

The Washington Post provides an interesting behind-the-scenes account of how the funds for electronic health records adoption were included into the American Recovery and Reinvestment Act of 2009, commonly known as the stimulus bill. Health Information and Management System Society (HIMSS) played a crucial role in this lobbying effort. According to the Post:

[HIMSS] had worked closely with technology vendors, researchers and other allies in a sophisticated, decade-long campaign to shape public opinion and win over Washington's political machinery.

You can read the whole article here.

Tags: ARRA, Act, Articles, EHR, HIMSS, HITECH, HITECH Act, News

Steve Fox featured in For the Record's May 2009 Cover Story

Posted on May 14, 2009 by Vadim Schick

Steve Fox was interviewed in this month's Cover Story "The Big Push", in For the Record, a biweekly magazine for health information management professionals, regarding the incentives and challenges of EHR adoption. On incentives included in the HITECH Act, Steve argued that:

“it’s almost crazy not to adopt EHRs because we’re talking about a significant amount of money ... From my discussions with hospitals and other physicians, the consensus seems to be that leaving that large sum on the table would just be foolish. Some hospitals I’ve spoken with are anticipating this will bring in millions.”

Steve also identified interoperability as a crucial goal for EHR systems:

“Trying to encourage not just adoption of EHRs but having them all interconnected is definitely the next step and perhaps even the definition of success in the end ... Hospitals need to be connected with one another or the EHRs are not being used to their full potential. Take Philadelphia, for instance. There are a lot of hospitals there but almost no connectivity among them. If a patient has his records at one hospital but gets taken to a different hospital, there’s no way to access his records, even if they do have an EHR in place.”

You can read the full article here.

Tags: ARRA, Articles, EHR, HITECH, HITECH Act, News

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: ARRA, Act, Articles, HIPAA, HITECH, News, Privacy & Security, breach, notification

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Posted on March 31, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

Tags: ARRA, Act, Articles, EHR, HIPAA, HITECH, HITECH Act, News, PHR, Privacy & Security, meaningful, use

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

Posted on March 30, 2009 by Steve Fox and Vadim Schick

After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom". Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids. (MercuryNews.com, via AP, March 30, 2009.)
Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill. Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)

A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses. This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary. (Pennlive.com, March 30, 2009.)
Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use. (Healthcare IT News, March 30, 2009).

Tags: Articles, EHR, HIT, HITECH, Kaiser, News, Permanente, breach, interoperability, meaningful, privacy, profit, stock, use

Debate on EHR Savings Rages at Harvard

Posted on March 24, 2009 by Steve Fox and Vadim Schick

A battle royal rages on among various Harvard physicians about the effects of a widespread adoption of EHR technology. In a Wall Street Journal op-ed, two Harvard doctors questioned President Obama's claim that nationwide adoption of EHR technology will save the taxpayers as much as $80 billion annually. Drs. Groopman and Hartzband call on Mr. Obama to "apply real scientific rigor to fix our health-care system rather than rely on elegant exercises in wishful thinking."

However, three other Harvard physicians, including Geek Doctor John Halamka, published a Letter to the Editor in response to the Groopman/Hartzband Op-Ed, claiming that the latter did not present a full or accurate picture of the positive effects of widespread adoption of EHR technology. In part, Drs. Halamka, Bates and Middleton claim that:

The electronic health record represents a transformational change in healthcare, and will enable an array of improvements—although it will not necessarily result if implemented badly. The electronic record is to the paper record as the automobile was to the horse and buggy. No one will want to go back.

Separately, Stephen B. Soumerai, a Harvard Medical School professor (with a University of Alberta co-author, Sumit R. Majumdar) published an Op-Ed in the Washington Post supporting the Groopman/Hartzband claim that EHR technology is not going to produce the promised mass savings because major studies

have found that electronic records with computerized decision support did not result in a single improvement in any measure of quality of care for patients with chronic conditions including heart disease and asthma.

Soumerai and Majumdar sadly concluded that "a $50 billion investment in health information technology won't do much for many Americans."

This did not go unnoticed by Halamka and the EHR enthusiasts, Drs. Bates and Middleton. Their response in another Letter to the Editor (this time, in the Washington Post), systematically deconstructed Soumerai and Majumdar's conclusions, reinforcing the theme articulated by Halamka, Bates and Middleton in the Wall Street Journal: bad implementation can lead to bad results; EHRs are the way of the future, and the focus should be on how to improve quality of care, not whether to implement EHR technology. The Letter to the Editor also cited specific examples of savings produced by successful adoption of EHR technology:

a detailed case study of the cost and quality benefits of EHR at Family Care of Concord, NH found net benefits per clinician per year of $30,324. Another study of hospital-based provider order entry identified net savings of $1.7 million per year from drug dosing guidance, nursing time utilization, and error prevention.

While the fight continues at Harvard, there is some positive news from Wall Street. The Wall Street Journal reports that the HIT funding included in the stimulus appears to boost stock prices of certain HIT vendors, including Quality Systems Inc. (QSII), Athenahealth Inc. (ATHN) and Allscripts-Misys Healthcare Solutions Inc. (MDRX). Thus, it appears the stimulus is working for someone. Let's hope the EHR enthusiasts at Harvard are correct, and that we will all benefit from lower-costs, increased efficiency and higher-quality health care as a result of nationwide EHR adoption.

"Obama's $80 Billion Exaggeration", Wall Street Journal, March 11, 2009.
"Bad Bet on Medical Records", The Washington Post, March 17, 2009.
"Health IT Push Helps Physician Practice Software Stocks", Wall Street Journal, March 23, 2009.

Tags: ARRA, Articles, EHR, HIT, HITECH, Incentives, News, savings

Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act

Posted on March 20, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

In Part I and Part II of the interview, Steve and Ed discuss the incentives for hospitals and physician practices included in the HITECH Act; new regulations to be promulgated by HHS Secretary under this Act; and what actions hospitals and physician practices should be considering at this time in order to qualify for the incentive payments under the Act.

Part III is coming soon, and we will update this entry when it is published on Healthcare-Informatics.com.

Tags: ARRA, HITECH, HITECH Act, Incentives, News

UPDATED: ARRA Includes Major Changes to Healthcare Privacy Law

Posted on March 13, 2009 by Steve Fox and Vadim Schick

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

State Attorneys General may now bring state actions to enforce HIPAA, seeking statutory damages and attorneys’ fees for violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights within HHS.
The Act restricts a covered entity’s right to refuse an individual’s request not to use or disclose PHI if: (i) disclosure is to a health plan for carrying out payment or health care operations (not for treatment); and (ii) the PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” Previously, the covered entity was not required to agree to such requested restrictions.
The Act requires a covered entity using or disclosing PHI, or requesting PHI from another covered entity, to limit “to the extent practicable” disclosure of PHI to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively.” Depending upon the forthcoming guidance from HHS (due within 18 months), this may require considerable education, training and additional resources necessary to implement this new requirement.
The Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. When this becomes effective (which depends on when an EHR is acquired), all such disclosures must be accounted for if the disclosure was made “through” an EHR. However, the right to disclosures only applies to the 3 years prior to the date on which the accounting is requested, rather than the 6 years currently permitted under HIPAA.
Covered entities and business associates will be prohibited from receiving remuneration in exchange for any PHI of an individual without first obtaining an authorization from such individual (subject to certain exceptions). The authorization must specify whether the original receiver of PHI may further exchange it for remuneration. This will go into effect in approximately 24 months after ARRA’s enactment.
A covered entity that “maintains” an EHR is required to produce a copy of a patient’s PHI in electronic format upon an individual’s request, and if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual. A fee for such service may not be greater than the covered entity’s labor costs in responding to the request for the copy.
The Act imposes new restrictions on covered entities’ and business associates’ marketing communications to potential buyers or users of their products. This is also subject to certain exceptions and qualifications depending on the purpose of the communications and whether any payments are involved.

Tags: Accounting, Business Associates, Covered Entities, HIPAA, HITECH, HITECH Act, Marketing, Privacy & Security, business associates as covered entities

HITECH Act Will Benefit Higher-Ed Institutions

Posted on March 12, 2009 by Steve Fox and Vadim Schick

HHS may award grants to eligible institutions “to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.” Eligible institutions are limited to:

a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school;
a graduate school of nursing or physician assistant studies;
a consortium of two or more schools described above; or
an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

However, the Act imposes two major limitations: (1) Applicant schools must contribute at least 50 percent of the funding (unless such co-payment would be detrimental to the program due to national economic conditions, in which case upon notification to Congress such cost-share arrangement may be waived); and (2) Eligible schools cannot use amounts received under this program to purchase hardware, software, or services. These funds are meant exclusively for adapting the school’s curricula to the new technology, and may mean that school may not use HHS funds to hire consultants to develop such programs for them.

The Act also authorizes HHS to assist all education institutions in establishing or expanding health informatics programs. Schools may receive federal assistance to develop and implement HIT curricula, courses and certification programs; recruit students; acquire necessary equipment (and installation of such equipment); and establish or enhance bridge programs between community colleges and universities. Priority will be given to existing education programs and programs designed to be completed in six months. However, as noted above, eligible programs must contribute at least 50% of the funding, subject to the economic conditions exception described in the above paragraph.

Tags: ARRA, Ed, HITECH, HITECH Act, Higher, Higher Ed, Incentives

HITECH Act Will Benefit Physician Practices

Posted on March 6, 2009 by Steve Fox and Vadim Schick

Physician practices are eligible to receive up to $44,000 per physician for meaningful use of certified EHR technology (as described here*):

Up to $18,000 for the first year (dropping to $15,000 if first year is not 2011 or 2012); $12,000 for the second year; $ $8,000 in year 3, $4,000 in year 4 and $2,000 in year 5. (See table after the jump.)
There will be no incentive payments for practices establishing their meaningful EHR use after 2014 (e.g., beginning 2015).
Meaningful EHR use by physicians will be further defined by regulations, but at a minimum, includes the use of e-prescribing and participation in “the electronic exchange of health information to improve the quality of health care, such as promoting care coordination,” i.e., HIEs or RHIOs.
For the electronic exchange of health information to improve the quality of health care, such as promoting care coordination.
There is a 10% premium for physicians with practices in under-serviced areas.
However, if a physician practice does not achieve meaningful EHR status by 2015, Medicare reimbursement fees will be reduced by 1% in 2015, 2% in 2016, 3% in 2017 and beyond; and the Secretary will have the right to reduce fees by 5% starting in 2018 for those practices where meaningful EHR use is under 75%.

In lieu of Medicare reimbursements, certain physician practices may be also eligible to receive for up to $65,000 in Medicaid reimbursement payments if they achieve standards of meaningful use similar to the Medicare requirement.

States will reimburse up to 85% of the cost of implementation of EHR, possibly starting in 2011, but starting no later than 2016, with 2021 being the final year for Medicaid reimbursements.
First year’s payment is capped at $25,000 and may include reimbursed costs associated with purchase, implementation or upgrade of EHR technology, or, if provider achieves the meaningful user status, costs incurred if EHR technology is already implemented.
Subsequent annual reimbursements will not exceed $10,000 per annual payment, and are intended to cover costs of operation and maintenance of EHR technology.

* Physicians, unlike hospital systems, are specifically required to demonstrate the use of e-prescribing as part of their EHR use.

Tags: ARRA, HITECH, HITECH Act, Incentives, Physicians

UPDATED: HITECH Act will Benefit Hospitals

Posted on March 5, 2009 by Steve Fox and Vadim Schick

Each eligible hospital (a “subsection (d) hospital,” as defined under 42 U.S.C. §1395ww(d)(1)(B)) which does not include psychiatric hospitals, rehabilitation hospitals, children’s hospitals or long term care hospitals) that achieves "meaningful" EHR use may qualify to receive from Medicare an amount equal to the product of the following formula:

Initial Amount
($2 million plus additional amounts calculated in accordance with each hospital’s Medicare discharges)

X

Medicare Share
(roughly, a hospital’s share of Medicare discharges over total discharges)

X

Transition Factor:

Year 1 – 100%
Year 2 – 75%
Year 3 – 50%
Year 4 – 25%
Year 5 – 0%

“Meaningful users” are hospitals or physician practices able to demonstrate that one’s EHR technology is connected in a way that improves the quality of health care through reported results on clinical quality and other measures selected by the Secretary. Meaningful EHR use includes quality reporting and may be demonstrated by attestation, survey response, appropriate claims or quality reporting, or such other manner as the Secretary specifies. Of course, the question remains as to how HHS will define “meaningful” use, and we will just have to wait until the end of this year to find out. The concern is that if HHS raises the bar too high, it will exclude hospitals who will be unable to achieve it within a reasonable time.

“Certified EHR technology” will be technology that is certified by an independent body recognized by the Secretary as meeting standards for such technology established by the Secretary by rulemaking before Dec. 31, 2009.

Hospitals can receive both Medicare and Medicaid incentives (calculations for the latter are linked to Medicaid discharges). The Medicaid portion can be accelerated (50% in one year or 90% in two years). Also, Medicaid incentives are not restricted to subsection (d) hospitals. Thus, for example, although a children’s hospital does not qualify for Medicare incentive payments, its Medicaid incentives may produce a much higher amount of reimbursements.

Some calculations indicate that the maximum combined Medicare and Medicaid payments may total up to $11 million, while $6 million to $8 million payments should be more typical. Below is a sample breakdown* of reimbursement payments (from both Medicare and Medicaid) for hospitals under the Act:

Hospitals may also receive additional aid from the federal government if they participate in HHS’s health information technology extension program. At the heart of the program, the newly established HIT Research Center (“Center”) will provide technical assistance and disseminate best practices to support and accelerate efforts to implement and operate healthcare information technology in accordance with the standards, specifications and certification criteria to be established under the Act. As part of its duties, the Center will

provide a forum for the exchange of knowledge and experience;
accelerate the transfer of lessons learned;
analyze and disseminate evidence and experience;
provide technical assistance to regional and local information exchanges;
develop solutions for barriers to the electronic exchange of information; and
develop effective strategies for the use of HIT in medically underserved communities.

On a more local level, Regional Extension Centers (REC) will provide technical assistance and disseminate best practices learned from the Center to aid and accelerate implementation and use of HIT. Each REC must be affiliated with one or more nonprofit organizations. Support will be available for up to four years of funding aimed to cover up to 50% of each REC’s capital and operating expenses.

In making its funding decisions, HHS will consider the REC applicant's ability to provide assistance and utilize technology appropriate to the needs of particular categories of health care providers; the types of services the proposed REC will provide to health care providers; the geographical diversity and extent of the proposed REC’s service area; and the percentage of funding and amount of in-kind commitment from other sources the REC applicant can secure.

Public, nonprofit and critical access hospitals, community health centers, individual or small practices and entities that serve the uninsured and underinsured, as well as medically underserved persons, will be given priority in receiving assistance. In less than 90 days, HHS will produce a description of the extension program, including a detailed explanation of the program and the programs goals; procedures to be followed by the REC applicants; criteria for determining qualified REC applicants; and the maximum support levels expected to be available to REC’s under the program.

Tags: ARRA, HITECH, HITECH Act, Hospitals, Incentives

Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

Published By
Post & Schell, Attorneys at Law