Posted on August 19, 2009 by Helen Oscislawski

Let the Breach Notifications Begin! . . . (in 30 days, or so)

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI).  Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records.  Both HHS' and FTC's  “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period.   However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules.  Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

Tags: ,
Posted on August 10, 2009 by Michael Kline

Distressed Hospital Survival Through HIT?

[Installment 6 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

On August 4, 2009 the Associated Press reported at http://www.usatoday.com/news/health/2009-08-04-electronic-medical-records_N.htm that Sac-Osage Hospital, a 47-bed hospital in rural western Missouri, “is borrowing nearly $1 million to pitch its paper medical charts and purchase a state-of-the-art electronic health records  [EHR] system. The hospital is hinging its survival on what it hopes will be a $3 million windfall of federal incentives for hospitals that go digital.”

This survival strategy for Sac-Osage Hospital is hazardous because there is an inherent risk in the hoped-for windfall in 2011 under the economic stimulus law. As the AP report goes on to states: “The risk lies in the federal government's ultimate definition of what constitutes a ‘meaningful use’ of electronic records.”

As I reported in my fifth blog post on July 28, 2009, health providers will have to meet minimum prescribed standards (the meaningful use) for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

The bet that Sac-Osage Hospital says it is making by borrowing to invest in EHRs is the highest - the very survival of the hospital. Its Board and Administration have clearly made the determination that other possible alternatives for capital financing and investment by the hospital will not have the monetary potential return of the HITECH windfall. It is somewhat sobering that Sac-Osage Hospital bases its financial survival plan not on more effective delivery of healthcare or new treatment modalities but on digitalization of its health records. However, a positive by-product of EHRs and the demonstration of “meaningful use” that will be needed to realize the fruits from HITECH of an investment in EHRs presumably will be fewer medical errors, a more efficient healthcare delivery system and a higher quality of care.

Unfortunately for Sac-Osage Hospital and other health providers seeking to benefit from the HITECH windfall, the landscape for qualification could change markedly over the next two years. As technology evolves, the expectations as to what constitutes meaningfully use may rise. Sac-Osage Hospital and other small rural hospitals will also be competing for a share of HITECH money with larger and more well-financed institutions that are much further advanced with EHRs. 

Other challenges can come not just from the crystallization of “meaningful use” but also the enactment of the health reform package that is looming ahead. The package itself may directly or indirectly affect how EHRs are to be generated and used, thereby impacting programs for implementing HIT. 

Hopefully, the substantial majority of hospitals are not in a mode that their survival depends on the stimulus money from implementing EHRs. However, the Boards of health care providers cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. These matters must be appropriately analyzed and monitored continuously at a high level in the hospital, with committed Board oversight. 

 [To be continued in Installment 7]

Tags: ,
Posted on August 5, 2009 by Helen Oscislawski

"In The Event That I Can No Longer Make Decisions For Myself, I Wish ..." - Storing Advanced Directives on GoogleHealth

Google Health and National Hospice and Palliative Care Organization's Caring Connections have partnered to allow patients to store and access their advance directives on line.  Advance directives are essentially "directions" that a person gives to their medical professionals about what interventions they wish to have provided or withheld under specific circumstances -- especially in emergencies and at "end-of-life" moments -- when such person can not express those wishes himself or herself.  Advance directives laws vary from state-to-state, but typically require such directives to be in writing, signed and to have a personal representative listed.

GoogleHealth and Caring Connections will offer a "living will" feature that allows users to download a free state-specific advance directive and store completed and signed scanned documents securely on line in their GoogleHealth account.  By "storing" such advanced directives in GoogleHealth's centralized repository, the hope is to offer providers with a better method to insure that a patient's true wishes with regard to health care interventions are honored.  But, will it?

What had me wondering is how exactly will the provider access the advanced directive on Google Health without the individual (who presumably has lost his or her ability to communicate) providing his or her password?   I suppose that in instances where a personal representative has been appointed, the individual could make sure to provide such password to his/her personal representative -- but watch out, because if the personal representative changes, then the password may need to change too.  Another option may be for individuals to pre-authorize their entrusted health care provider with access to their personal Google Health account.  Yet, this also has problems where one does not necessarily know which emergency room provider might end up providing them with care. 

Nevertheless, even with its limitations, Google Health's new advanced directive feature will likely be beneficial in many circumstances.  To learn more about GoogleHealth and Caring Connection's new advance directive feature, click here.

Tags: , , , ,