HIPAA, HITECH & HIT :: Fox Rothschild LLP

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan's proposed Funding Table is as follows:

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS' Recovery Website.

• Print
• Comments
• Trackbacks
• Share Link

On December 15, 2008, the Division of Consumer Affairs ("DCA") published its Notice of Pre-Proposed Rule for "Identity Theft, Written Security Programs and Violations."  Comments to the Pre-Proposed Rule are due February 13, 2009.

The pre-proposed Subchapter 3 seeks to require every business and every public entity to implement a comprehensive written information security "program" that includes administrative, technical and physical safeguards for the protection of individuals' social security numbers, driver's license numbers, state identification card numbers, or an account or credit or debit card number in combination with a required code or means of access that account (defined as "Personal Information").   Also "pre-proposed" are specific procedures for handling security breach incidents, including when and what agencies and individuals must be notified, and what information must be included in that notification.  

The original draft of Subchapter 3 was pulled when the regulations proposed pursuant to the Identity Theft Prevention Act were adopted last year on April 7, 2008 due to numerous comments submitted in opposition that original draft.   You can keep an eye out for the next draft to follow this "pre-proposed" version of Subchapter 3 on the NJ Division of Consumers website.

• Print
• Comments
• Trackbacks
• Share Link

The National Health Information Network (NHIN) may get information moving as early as the first quarter of 2009.  In its December 16th Press Release, the Social Security Administration (SSA) indicates that it will begin receiving medical records for some disability applicants via the "MedVirginia" health information exchange (HIE) based in Richmond.  

SSA and MedVirginia were also among several federal agencies and HIEs that participated in demonstrations of the national network during the 3rd annual NHIN Forum in Washington D.C., which took place this December 15-16.  Other federal agencies that are participating in the NHIN Trial Implementation include Centers for Disease Control (CDC), Veterans Administration (VA), Department of Defense (DOD) and Indian Health Service.  There are also several other state HIEs that are actively participating in the NHIN Trial Implementation, including HIE networks from Indiana, North Carolina, Ohio, Delaware, West Virginia. 

As I've posted before, New Jersey is actively working on developing its own state-wide HIE.  The New Jersey Health Information Technology (NJ HIT) Commission is charged with approving the plan for the creation of an infrastructure to move health information, in a confidential and secure manner, among participants in a state-wide RHIO.  On December 4, 2008, I participated in the first meeting of the NJ HIT Commission, which was both inspiring and daunting at the same time, with respect to the road that lies ahead.  Yet, I look forward to working together with the other Commission members during a time of potentially revolutionary changes to health care delivery in this State, and nationally.

• Print
• Comments
• Trackbacks
• Share Link

Assemblyman Herb Conaway introduced legislation (A 3368) today that would establish an electronic Health Information Technology ("e-HIT") Fund to be used to implement the objectives of the Statewide health information technology plan.  The Bill proposes that beginning April 1, 2009, and on a quarterly basis thereafter, each health care payer will pay a "technology reinvestment fee" into the e-HIT fund in an amount equal to 0.199% of one percent of all health care benefits claims paid by the payer for its New Jersey covered persons.  Payers that fail to pay the technology reinvestment fee would be subject to penalties

Not all health benefit plans will be subject to the fee, however.  The Bill excludes the following types of plans from having to pay the technology reinvestment fee:

• Accident only
• Credit
• Disability
• Long-term care
• CHAMPUS
• Workers' compensation
• Automobile medical payment insurance
• PIP
• Hospital confinement indemnity coverage
• Medicaid
• the New Jersey FamilyCare Program, and
• any other State health care assistance program financed in whole or in part through a federal program, unless authorized by federal law and approved by the State.

Some have expressed concern that although private payers would bear the cost of the fee, significant savings that result from the implementation of a State-wide health information exchange would inure to excluded plans. 

Sustaining a RHIO once federal government HIT funding sources are no longer available is an issue that has led to the demise of dozens of RHIOs in previous years.  Congressman Conaway's Bill attempts to address this issue.

• Print
• Comments
• Trackbacks
• Share Link

• Print
• Comments
• Trackbacks
• Share Link

In a June 10 HHS News Release, Secretary Mike Leavitt named the 12 communities that will participate in a 5-year national Medicare demonstration project that provides incentive payments to physicians for using certified electronic health records (EHR) to improve the quality of patient care (the "EHR Demo Project").  The communities selected to work with the CMS on the EHR Demo Project are:

• Alabama
• Delaware
• Jacksonville, FL (multi-county)
• Georgia
• Maine
• Louisiana
• Maryland/Washington, DC
• Oklahoma
• Pittsburgh, PA (multi-county)
• South Dakota (multi-state)
• Virginia
• Madison, WI (multi-county)

Over the five-year span of the project, total financial incentives and bonus payments provided to participating physician practices may be up to $58,000 per physician or $290,000 per practice.  Secretary Leavitt states:

"The use of electronic health records, and of health information technology as a whole, has the ability to transform the way health care is delivered in our nation [and] we believe that EHRs can help physicians deliver better, more efficient care for their patients, in part by reducing medical errors. This project is designed to demonstrate these benefits and help increase the use of this technology in practices where adoption has been the slowest at the individual physician and small practice level."

Although in some respects it is disappointing that New Jersey was not among the communities selected to be a part of the EHR Demo Project, perhaps it is an indication that physicians in this state are ahead of the curve with EHR adoption.  If this is indeed the case, New Jersey may already be well on its way to improving patient care and reducing health care delivery costs through the use of technology ..... making it a "winner" too. 

• Print
• Comments (1)
• Trackbacks
• Share Link

May 23 is the compliance date for the National Provider Identifier (NPI) to be used exclusively for electronic health care claims under HIPAA.  Providers who do not use their assigned NPI after this date may find health insurers starting to reject and return electronic claims.  Although millions of NPI numbers have been issued, it is unclear how may providers are in compliance.  As a result, the next several weeks-to-months are likely to be bumpy as providers begin to find that claims they believe are compliant are rejected.  Some commentators have predicted that if the industry experiences severe problems starting over the Memorial Day Weekend, CMS might relax the deadline.  Health Data Management noted, however, that providers that get too many claim rejections may resubmit the claims on paper. That will enable providers to get paid, but slow the process considerably and adversely affect cash flow.

• Print
• Comments
• Trackbacks
• Share Link

On May 13th, the Office of the Governor announced several direct appointments to the New Jersey Health Information Technology (NJ-HIT) Commission, and I am extremely pleased to pass along that I have been appointed to the attorney seat on the Commission.  I look forward to bringing my experience and enthusiasm to the table, and contributing to the success of the Commission's goals.

The NJ-HIT Commission was created by the New Jersey Health Information Technology Promotion Act, and its members, with the assistance of the Department of Banking and Insurance, are charged with developing, implementing and overseeing the establishment and creation of a state-wide health information technology plan utilizing electronic medical records.  Among other things, the Commission will be looking to the national standards for the State's HIT system for security, privacy, data content, format, vocabulary and information transfer standards.

The Commission will ultimately include over 19 members of the public, including representatives from professional health care organizations from across the State.

In 1994, Thomas Edison State College released a health care information networks and technology study that showed that New Jersey could save as much as $760 million by migrating from paper-based systems to an electronic network.

• Print
• Comments
• Trackbacks
• Share Link

Last week, the Office for Civil Rights (OCR) added a new data section on its Compliance and Enforcement Web Site.  The new section can be viewed at www.hhs.gov/ocr/privacy/enforcement/data.html.  The public can now access enhanced information about several aspects of OCR's enforcement program, including:

• Charts showing state-specific case investigation results;
• Calendar-year enforcement-results graphs and charts;
• Calendar-year graph showing complaint receipts; and
• Yearly variation in the issues in cases resolved through corrective action.

Below is a chart posted on OCR's new data section illustrating enforcement results for New Jersey:

 Another interesting chart lists the top five types of complaints for each of the last 5 years.  It is worth noting that between 2003-2007, the top 4 types of complaints were exactly the same, in the following order: 

• #1 - Impermissible Uses and Disclosures
• #2 - Safeguards
• #3 - Access
• #4 - Minimum Necessary

The last spot has changed from 2003 through 2007, with last year's number 5 spot being taken by "Notice" issues.

• Print
• Comments
• Trackbacks
• Share Link

In general, HIPAA requires a written authorization from an individual before a health care provider can make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  However, certain mailings and communications with individuals are permissible without having to obtain prior written authorization because they are not considered "marketing" as defined by the HIPAA Privacy Rule.

The following are a few examples of communications that HIPAA does not consider "marketing":

-- Reminders (e.g., "get your annual pap" letter)
-- Providing information about how to manage a particular condition (e.g., tips on diabetes control)
-- General information about new developments in health care
-- Information about health & wellness classes, support groups, health fairs etc.
-- Announcements of a new specialty group or new medical equipment at your facility

Thus, even though many of us who receive such information in the mail consider such flyers to be at least loosely linked to the “marketing efforts” of the sender, HIPAA considers the foregoing to be “communications essential for quality health care.”  Such communications are not subject to HIPAA’s restrictions otherwise applicable to using patient health information for “marketing” purposes.  Thus, a written authorization is generally not required for a health care provider to mail such information to former or current patients.  

• Print
• Comments
• Trackbacks
• Share Link

***Interested parties must register with TESC in order to attend ****

When:    Monday August 6, 2007 from 9:00-12:00.    

Where:   Thomas Edison State College, Prudence Hall, 101 West State Street, Trenton, NJ  

Topic:     NJ RHIO Discussion Forum to share findings, conclusions and recommendations based upon information collected regarding the level of interest in a statewide health information exchange and the degree of economic commitment needed for sustainability. 

Presenters:  Department of Banking and Insurance,  Department of Health and Senior Services,  Department of Human Services,  New Jersey Hospital Association,  Horizon Blue Cross

If you are unable to attend (or it is too late to register), check back after August 6th because I will be posting a summary of the meeting on this Blog under the "New Jersey" category.

• Print
• Comments
• Trackbacks
• Share Link