HIPAA, HITECH & HIT : New Jersey HIPAA Health Law Lawyer & Attorney : Fox Rothschild LLP Law Firm : Serving Newark, Jersey City, Paterson, Princeton, Mercer County

With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.

• Email This
• Print
• Comments
• Trackbacks

The Secretary of Health and Human Services (HHS) released today a compendium of reports on state law, business practices, and policy variations to assist health information exchange efforts.  I reviewed some of the documents linked through HHS's e-mail and find it extremely helpful that the government is aggregating resources on its website to be used by all in their HIE and RHIO efforts.  The links and summaries of each such report provided through HHS' s e-mail are reprinted here below:

• Report on State Medical Record Access Laws This report analyzes state laws that are intended to require health care providers (specifically, medical doctors and hospitals) to afford individuals access to their own health information and to identify potential barriers to the electronic exchange of health information.  Specific state law provisions examined: scope of medical records to which patients are afforded access, format of information furnished, deadlines for responding to requests, fees for furnishing copies, record retention laws and access to records of minors.
   
• Report on State Law Requirements for Patient Permission to Disclose Health Information
  In Phase I of the HISPC project a majority of participants reported significant variation in the business practices and policies surrounding the need for and process of obtaining patient permission to use and disclose personal health information for a variety of purposes, including for treatment. This report furthers the initial work of this project by collating and analyzing state laws that govern the disclosure of identifiable health information for treatment purposes to identify commonalities and differences.
  
   
• Releasing Clinical Laboratory Test Results: Report on Survey of State Laws For this report, state statutes and regulations were analyzed to determine to whom clinical laboratories may release test results. This report focused on clinical laboratory and hospital licensing laws (that contain standards for hospital laboratories). It also examined general state medical record access laws to determine whether they provided an avenue for patients to access their clinical laboratory results directly.  
  
  
• Report on State Prescribing Laws: Implications for e-Prescribing This report identifies and analyzes the impact and variation of state laws related to e-prescribing.  The report addresses state laws related to the e-prescribing of controlled and non-controlled substances as well as topics such as record keeping and content requirements, out-of-state prescriptions, and generic substitution laws.
  
  
• Perspectives on Patient Matching: Approaches, Findings, and Challenges This report analyzes various approaches to matching patients to their health information in the context of electronic health information exchange.  Current and potential methods for matching patients to their health records are discussed, challenges to performing patient matching such as scalability and ease of use are analyzed, and the types of information some HIOs use to match patients to their health records is described.

• Email This
• Print
• Comments
• Trackbacks

 The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act”  provides incentive payments for adoption and meaningful use of HIT and qualified EHRs.  CMS published a proposed rule defining "meaningful use" on December 30.  It's 566 double-spaced pages long, and can be found here:  http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.  

An eligible physician or other professional (“EP”) or hospital will be deemed to be a meaningful EHR user of technology certified by HHS if the user:

(1) demonstrates use of certified EHR technology in a meaningful manner;

(2) demonstrates to the satisfaction of the Secretary of HHS that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and

(3) using its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The measures include:

• Implement drug-drug, drug-allergy, drug-formulary checks.
• Input at least at least one diagnosis based on ICD-9-CM or SNOMED CTor an indication of none for 80% of all unique patients seen by the EP or admitted to an eligible hospital.
• Maintain active medication lists for 80% of patients seen or admitted.
• Record demographic info including preferred language; insurance type; gender; race; ethnicity and date of birth for 80% of patients seen or admitted
• Record blood pressure and BMI and plot the growth chart for children age 2 to 20 years old for 805 of patients seen or admitted;
• Record smoking status of 80% of patients age 13 or over;
• Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
• Implement five clinical decision support rules relevant to the relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
• Check insurance eligibility electronically for  80% of patients
• Submit 80% of claims electronically
• Provide summary of care record for at least 80% of transitions of care and referrals
• Use computerized provider order entry (CPOE) for 80% of orders.
• Transmit at least 75 percent of all permissible prescriptions electronically.
• Report clinical quality measures as required by HHS.
• Send electronic reminders to at least 50 percent of all unique patients seen by the EP that are 50 years of age and over.
• Provide requested electronic copies of patients’ health information within 48 hours of patient requests in 80% of cases.
• Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the EP for at least 10 percent of all unique patients seen by the EP.
• Provide clinical summaries to patients for each office visit for at least 80 percent of all office visits.

• Email This
• Print
• Comments
• Trackbacks

The devil is in the definition, as least when it comes to getting financial incentive payments for the adoption of electronic health records (EHR). The American Hospital Association (AHA) recently asked the White House Office of Health Reform, the Department of Health and Human Services, and the Centers for Medicare & Medicaid Services to revise the definition of "hospital-based" so that physicians working in hospital outpatient clinics or hospital-based facilities can receive incentive payments from Medicare and Medicaid under the American Reinvestment and Recovery Act (ARRA).

In many ways, AHA's request makes sense. If ARRA is to incentivize "meaningful use" of EHR, it should not exclude physician users practicing in off-site clinic or outpatient locations -- these are often the very physicians whose implementation and use of EHR is key to the creation of a community-wide EHR infrastructure. In other ways, though, AHA's request is a vexing reminder of the mental contortions required to maintain the old meanings and purposes of terms while introducing new ones.

Whether an outpatient or "provider-based" clinic qualifies as part of the hospital for reimbursement purposes varies from state to state and from payer to payer. AHA's request to expand the definition for purposes of ARRA incentive payments seems to make sense from an EHR-policy implementation perspective, but folding in yet another "hospital-based" definition for ARRA purposes challenges the conceptual integrity of the word -- and starts to make my head spin.

The AHA letter is available at http://www.aha.org/aha/letter/2009/091204-let-hit-arra.pdf.

• Email This
• Print
• Comments
• Trackbacks

Do you have questions about selecting, implementing and using an Electronic Health Record (EHR), including:  

• What do you need to consider when selecting an EHR?
• What is "meaningful use" and how can you qualify for ARRA incentive payments?
• What are the steps and secrets to successful EHR implementation?
• What in are some of the legal issues you need to consider before and after adopting an EHR?
• What are the new privacy and security requirements that apply to EHRs?

Join us as Stevie Davidson, Dr. Jack Cappittelli and Helen Oscislawski discuss the answers to these questions and more, as well as offer practical advice based on their personal experience with EHRs. 

When:              Thursday, December 10, 2009

Time:                12:00-1:30 pm (lunch will be served)

Where:              Fox Rothschild LLP
Princeton Pike Corporate Center
997 Lenox Drive, Building 3
Lawrenceville, NJ
Board Room

To register, visit our registration page.

• Email This
• Print
• Comments
• Trackbacks

Harris County Hospital District, a Houston area health system, has fired 16 employees for HIPAA violations, according to the Houston Chronicle. The employees reportedly accessed the records of a first-year resident being trained at one of the District's hospitals, following the resident's admission for treatment of injuries she suffered in a shooting incdent in a supermarket parking lot.

HIPAA requires a covered entity to adopt and apply "appropriate sanctions" against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the HIPAA privacy rule.  The department of Health and Human Services stated in the preamble to the rule that the type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination.

The Harris County Hospital District may have elected to terminate the employees to send a strong message that "snooping" in records, even where a co-worker is the patient, will not be tolerated for any reason.

• Email This
• Print
• Comments
• Trackbacks

On November 2, 2009, the Texas-based Drummond Group Inc. announced in a Press Release that it will submit to become a certifying body upon the release of the Office of the National Coordinator for Health Information Technology (ONC) requirements for certifying bodies for Electronic Health Records (EHR).  ONC is currently working on the scope and definition of "meaningful use" for EHR, expected to be finalized in early 2010. Along with these new policies on meaningful use of EHRs, ONC announced plans to expand the number of EHR certification agencies to support the new initiative. 

Currently, the only approved EHR certification agency, since 2004, is the Certification Commission for Health Information Technology (CCHIT).

• Email This
• Print
• Comments
• Trackbacks

Friday, November 20, 2009

Virtua Center for Learning
Classroom A
1200 Howard Blvd.
Mt. Laurel, NJ

Covered entities will be required to make notifications of certain HITECH security breaches to the affected individuals, newspaper and media outlets in the state as well as the U.S. Secretary of Health & Human Services. Penalties will be assessed starting February 2010. Learn how to protect your hospital by putting a plan into action today!  The workshop will cover:

• Breach notification and requirements for business associates
• Implementation plan for compliance
• Case scenarios of how the requirements can impact hospital operations, including what steps can be taken to prevent or mitigate risk

You can prevent your hospital from falling behind the trend toward health information exchange. Learn what you need to do to be compliant with this new regulatory requirement. This session is specifically designed for CIOs and compliance, security and privacy officers as well as in-house legal counsel.

For more information on how to register, visit our registration page.

• Email This
• Print
• Comments
• Trackbacks

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

• Category 1 - Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
• Category 2 - Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
• Category 3 - Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
• Category 4 - Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.

• Email This
• Print
• Comments
• Trackbacks