Posted on November 6, 2009 by Helen Oscislawski

Certifying EHRs for "Meaningful Use"

On November 2, 2009, the Texas-based Drummond Group Inc. announced in a Press Release that it will submit to become a certifying body upon the release of the Office of the National Coordinator for Health Information Technology (ONC) requirements for certifying bodies for Electronic Health Records (EHR).  ONC is currently working on the scope and definition of "meaningful use" for EHR, expected to be finalized in early 2010. Along with these new policies on meaningful use of EHRs, ONC announced plans to expand the number of EHR certification agencies to support the new initiative. 

Currently, the only approved EHR certification agency, since 2004, is the Certification Commission for Health Information Technology (CCHIT).

Tags: , ,
Posted on November 6, 2009 by Helen Oscislawski

HITECH Workshop for Camden-area Hospitals

Friday, November 20, 2009

Virtua Center for Learning
Classroom A
1200 Howard Blvd.
Mt. Laurel, NJ

Covered entities will be required to make notifications of certain HITECH security breaches to the affected individuals, newspaper and media outlets in the state as well as the U.S. Secretary of Health & Human Services. Penalties will be assessed starting February 2010. Learn how to protect your hospital by putting a plan into action today!  The workshop will cover:

  • Breach notification and requirements for business associates
  • Implementation plan for compliance
  • Case scenarios of how the requirements can impact hospital operations, including what steps can be taken to prevent or mitigate risk

You can prevent your hospital from falling behind the trend toward health information exchange. Learn what you need to do to be compliant with this new regulatory requirement. This session is specifically designed for CIOs and compliance, security and privacy officers as well as in-house legal counsel.

For more information on how to register, visit our registration page.

Tags: ,
Posted on November 5, 2009 by Patricia McManus

HHS Issues Interim Final Rule to Implement the HITECH Act's Strengthened Civil Money Penalty Scheme

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

  • Category 1 - Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
  • Category 2 - Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
  • Category 3 - Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
  • Category 4 - Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.

Tags: , ,
Posted on November 2, 2009 by Patricia McManus

Does Oklahoma's New Abortion Law Violate HIPAA?

Yesterday, November 1, 2009, the "Statistical Reporting of Abortion Law" went into effect in Oklahoma. The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health's web site. Some of the required information includes:

  • Date of abortion
  • County in which abortion performed
  • Age of mother
  • Marital status of mother (married, divorced, separated, widowed, or never married)
  • Race of mother
  • Years of education of mother (specify highest year completed)
  • State or foreign country of residence of mother
  • Total number of previous pregnancies of the mother
  • Total number of live births, miscarriages, induced abortions
  • Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. A lawsuit has been filed alleging the law violates Oklahoma's constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law's reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as challenges to the law continue.

Tags: ,
Posted on October 31, 2009 by Helen Oscislawski

Oh Where, Oh Where Will the Red Flag End Up (or Down)?

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule.  On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate. 

What does all the foregoing mean for the health care industry?  For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.  

Tags:
Posted on October 23, 2009 by Elizabeth Litten

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn't know about?  What if the CE's business associate (BA) fails to report a breach of unsecured health information?  What if the BA doesn't even know about the breach? 
 
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility:  "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself." 
 
The date a breach is discovered is extremely important (triggering the 60-day notice requirement).  The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach.  The clock starts running when the BA knew, or should have known, about the breach.  According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so." 
 
Tags: ,
Posted on October 22, 2009 by Michael Kline

Governance Considerations from HIT for the Board and Other Hospital Stakeholders - The Need for an IT Champion to Serve as a Link between IT Personnel and Other Stakeholders - Installment 7

This is the seventh installment in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

For a number of months this series has been emphasizing the importance of establishing a credible and knowledgeable liaison at the governing body and/or senior administrative level to articulate and educate the diverse stakeholders about the new challenges and initiatives in HIPAA and HIT. The liaison should be a champion and advocate for a rational and comprehensive approach for HIT.

The increasing complexities and costs of new IT systems and the need to demonstrate their “meaningful use” has greatly raised the stakes in this area for hospitals. Errors or false starts in HIT and the financial consequences of HIPAA violations under HITECH can be materially injurious to the organization’s finances, public image, internal stability and quality of patient care. It can also cause the loss of potential subsidies from HITECH.

Often the IT leader at a hospital does not have sufficient standing or skills set to serve as the champion. It was not the principal reason that he or she was hired. In such a case the governing boards should recruit either a knowledgeable board member or a senior staff person to serve this function.

The article on October 20, 2009 by Molly Merrill, Associate Editor of Healthcare IT News, adds further confirmation of the need for a qualified IT champion.

Ms. Merrill wrote that a new survey, conducted by Ponemon Institute and sponsored by San Jose, California-based LogLogic, shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information. Moreover, Ms. Merrill continues, “[a]ccording to the study, 61 percent of [IT] practitioners believe their organizations don't have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn't consider it a priority.”

Ms. Merrill quotes the survey as concluding the following:

Without resources and support from senior management, preventing the loss of data may be very difficult. We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP [data loss protection] solutions) and senior management buy-in for the necessary resources to get the job done right. [Emphasis supplied]

This survey underscores the frustrations and challenges that are present for the majority of IT leaders at hospitals. They may lack the standing within the organization to make a meaningful impact on senior management and the governing boards. Even if they hold a high level position within the organizations and are highly proficient in their jobs, they may lack be sufficient champions to interpret their complex world to their senior management and governing boards. It is incumbent on these organizations to identify a champion who possesses the skills to absorb and interpret the complex IT world for stakeholders who have limited knowledge of the subject.

[To be continued in Installment 8]

Tags: ,
Posted on August 19, 2009 by Helen Oscislawski

Let the Breach Notifications Begin! . . . (in 30 days, or so)

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI).  Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records.  Both HHS' and FTC's  “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period.   However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules.  Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

Tags: ,
Posted on August 10, 2009 by Michael Kline

Distressed Hospital Survival Through HIT?

[Installment 6 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

On August 4, 2009 the Associated Press reported at http://www.usatoday.com/news/health/2009-08-04-electronic-medical-records_N.htm that Sac-Osage Hospital, a 47-bed hospital in rural western Missouri, “is borrowing nearly $1 million to pitch its paper medical charts and purchase a state-of-the-art electronic health records  [EHR] system. The hospital is hinging its survival on what it hopes will be a $3 million windfall of federal incentives for hospitals that go digital.”

This survival strategy for Sac-Osage Hospital is hazardous because there is an inherent risk in the hoped-for windfall in 2011 under the economic stimulus law. As the AP report goes on to states: “The risk lies in the federal government's ultimate definition of what constitutes a ‘meaningful use’ of electronic records.”

As I reported in my fifth blog post on July 28, 2009, health providers will have to meet minimum prescribed standards (the meaningful use) for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

The bet that Sac-Osage Hospital says it is making by borrowing to invest in EHRs is the highest - the very survival of the hospital. Its Board and Administration have clearly made the determination that other possible alternatives for capital financing and investment by the hospital will not have the monetary potential return of the HITECH windfall. It is somewhat sobering that Sac-Osage Hospital bases its financial survival plan not on more effective delivery of healthcare or new treatment modalities but on digitalization of its health records. However, a positive by-product of EHRs and the demonstration of “meaningful use” that will be needed to realize the fruits from HITECH of an investment in EHRs presumably will be fewer medical errors, a more efficient healthcare delivery system and a higher quality of care.

Unfortunately for Sac-Osage Hospital and other health providers seeking to benefit from the HITECH windfall, the landscape for qualification could change markedly over the next two years. As technology evolves, the expectations as to what constitutes meaningfully use may rise. Sac-Osage Hospital and other small rural hospitals will also be competing for a share of HITECH money with larger and more well-financed institutions that are much further advanced with EHRs. 

Other challenges can come not just from the crystallization of “meaningful use” but also the enactment of the health reform package that is looming ahead. The package itself may directly or indirectly affect how EHRs are to be generated and used, thereby impacting programs for implementing HIT. 

Hopefully, the substantial majority of hospitals are not in a mode that their survival depends on the stimulus money from implementing EHRs. However, the Boards of health care providers cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. These matters must be appropriately analyzed and monitored continuously at a high level in the hospital, with committed Board oversight. 

 [To be continued in Installment 7]

Tags: ,
Posted on August 5, 2009 by Helen Oscislawski

"In The Event That I Can No Longer Make Decisions For Myself, I Wish ..." - Storing Advanced Directives on GoogleHealth

Google Health and National Hospice and Palliative Care Organization's Caring Connections have partnered to allow patients to store and access their advance directives on line.  Advance directives are essentially "directions" that a person gives to their medical professionals about what interventions they wish to have provided or withheld under specific circumstances -- especially in emergencies and at "end-of-life" moments -- when such person can not express those wishes himself or herself.  Advance directives laws vary from state-to-state, but typically require such directives to be in writing, signed and to have a personal representative listed.

GoogleHealth and Caring Connections will offer a "living will" feature that allows users to download a free state-specific advance directive and store completed and signed scanned documents securely on line in their GoogleHealth account.  By "storing" such advanced directives in GoogleHealth's centralized repository, the hope is to offer providers with a better method to insure that a patient's true wishes with regard to health care interventions are honored.  But, will it?

What had me wondering is how exactly will the provider access the advanced directive on Google Health without the individual (who presumably has lost his or her ability to communicate) providing his or her password?   I suppose that in instances where a personal representative has been appointed, the individual could make sure to provide such password to his/her personal representative -- but watch out, because if the personal representative changes, then the password may need to change too.  Another option may be for individuals to pre-authorize their entrusted health care provider with access to their personal Google Health account.  Yet, this also has problems where one does not necessarily know which emergency room provider might end up providing them with care. 

Nevertheless, even with its limitations, Google Health's new advanced directive feature will likely be beneficial in many circumstances.  To learn more about GoogleHealth and Caring Connection's new advance directive feature, click here.

Tags: , , , ,