HIPAA, HITECH & HIT :: Fox Rothschild LLP

On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlines some direct effects of the new HIPAA Omnibus Rule on employers and their health plans. 

Keith McMurdy writes as follows:

On January 25, the new (final?) rules about HIPAA Privacy under the HITECH Act were issued in the Federal Register.  While the effect of the new rules may not be to substantially change the way HIPAA privacy is viewed, there are a number of action items for employers as plan sponsors that have to be accomplished when these rules go into effect.

There are two pieces of good news.  The first is that the general purpose of compliance remains the same.  Plan sponsors have to ensure PHI is properly protected, refrain from impermissible disclosures and provide notices of security breaches.  The second is that the earliest possible deadline for compliance with the new rules is September 23, 2013, so there is some time to prepare.  But it is not a bad idea to start preparing now.  So let's consider the key changes.

1. Tougher Security Breach Notification Standard

Under the old rule, the standard for notification to participants of a security breach was only necessary if the release of information "posed a significant risk of financial, reputational or other harm" to a covered person.  Now, that standard is tightened to apply to ANY security breach unless the plan sponsor can prove "a low probability that the [PHI] has been compromised based on a risk assessment."  This should encourage plan sponsors to tighten their security breach protections because any release, even things like accidental e-mails, can potentially become reportable events.  So the first step in compliance would be to review security standards and document steps taken to avoid security breaches.

2. Tougher Standards for Business Associates Agreements

Because the new rule provides for penalties to a covered entity for breaches by business associates, the default position is that plan sponsors should be much more concerned about how compliant their business associates really are.  Where in the past, plan sponsors may have felt comfortable simply handing off certain protection functions to service providers, the new rule makes it pretty clear that plan sponsors have to actually know that their business associates are HIPAA compliant and diligently seek to confirm that compliance.

3.  New Privacy Notices for 2013 Open Enrollment

The new rule also requires that plan sponsors add or amend their privacy notices:

1. The notice must specifically state that the covered health plans are required to obtain plan participants' authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice as well as a statement explaining how plan participants may revoke an authorization.
2. The notices must state that the plans (other than a long-term care plan) are prohibited from using PHI that is genetic information for underwriting purposes
3. The notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI.

The new rules makes it clear that since this new language is a "material change," plan sponsors are required to distribute this revised notice, even if they had just recently sent the old notice. 

4. Genetic Information and the GINA Notice

The Genetic Information Non-Discrimination Act of 2008 (GINA) prohibits discrimination based on genetic information.  The HIPAA Privacy Rule now similarly prohibits HIPAA-covered plans from taking genetic information into consideration when offering incentives or discounts through a health risk assessment.  Because this modification of the Privacy Rule materially affects how a plan may use PHI, the HIPAA Privacy Rule requires that plan participants be informed in the plan's privacy notice of the prohibition on the use of PHI for underwriting purposes.  See the second item under Part 3, above.

So in the midst of our struggles to comply with PPACA, plan sponsors should not forget about HIPAA medical privacy concerns.  Start pulling together privacy notices, business associates agreements and plan documents for review and amendment.  Review your security practices to avoid even accidental breaches.  And be prepared to issue new notices as necessary for your next open enrollment.  For more detailed information about HIPAA and HITECH Compliance, please make sure to check out our HIPAA Blog as well.  More information means better compliance, which is always a good thing.

• Print
• Comments
• Trackbacks
• Share Link

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

3.         The ACO may not grant access to the patient data except as authorized by CMS.

4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 

8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

And last, but certainly not least:

10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 

• Print
• Comments
• Trackbacks
• Share Link

CMS should improve its oversight of its electronic health record incentive program, according to a report by the Office of Inspector General released this month.   The government watchdog agency faults CMS for both inadequate prepayment safeguards and insufficient postpayment monitoring of recipients of federal funding intended to help cover the costs of adoption and implementation of EHR.

As this blog noted earlier this month, some concerns have been raised in a Congressional hearing about how the approximately $7.7 billion in taxpayer funds have been spent to date under the HITECH Act’s incentive program.  In its report, the OIG recommended that CMS:

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self-reported information;

Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance; and

Conduct prepayment reviews to improve program oversight.

OIG reported resistance from CMS regarding its recommendation to implement prepayment reviews, which CMS believes would increase the burden on practitioners and hospitals and could delay incentive payments. CMS agreed to take steps to improve program oversight. CMS’s response appears as an exhibit to the OIG report at page 30.

Next, the OIG turned to the Office of the National Coordinator for Health Information Technology (ONC), the government agency that establishes EHR standards and certifies EHR technology. OIG recommended that the ONC:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible; and

Improve the certification process for EHR technology to ensure accurate EHR reports.

ONC concurred with both recommendations, as noted in the letter from Dr. Farhad Mostashari appearing at page 32.

The report noted that CMS currently conducts prepayment validation of professionals’ and hospitals’ self-reported meaningful use information to ensure that it meets program requirements, mostly by checking the math in the reports and verifying EHR certification codes.   OIG also noted that CMS plans to audit selected professionals and hospitals after payment using a similar method to select audit targets based on inconsistencies in their reported data. At the time of the OIG review, CMS had not yet completed any postpayment audits.

Among OIG’s findings were:

• CMS’s prepayment validation functions correctly but does not verify the accuracy of self-reported information.
• Sufficient data are not available to verify self-reported information through automated system edits.
• CMS does not collect supporting documentation to verify self-reported information prior to payment.
• CMS’s planned postpayment audits may not conclusively verify the accuracy of professionals’ and hospitals’ self-reported meaningful use information.
• Reports from certified EHR technology are not sufficient for CMS to verify self-reported information and may not always be accurate.
• CMS may not be able to obtain sufficient supporting documentation to verify self-reported information during audits.

Given budgetary pressure and ongoing Congressional oversight, it is likely that CMS and ONC will be looking more closely at how HITECH incentive funds are being applied in the coming year.

• Print
• Comments
• Trackbacks
• Share Link

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11^th Circuit.

The 11^th Circuit District Court (Southern District of Florida) decision that came out  on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft."  The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. 

The District Court's decision to deny AvMed's motion to dismiss plaintiffs' claim that AvMed's data breach caused plaintiffs' identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards...  ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff's sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff's sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops. 

The court also refused to dismiss the plaintiffs' unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies. 

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means.  In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of  a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach. 

• Print
• Comments
• Trackbacks
• Share Link

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation.  Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act. 

Christina summarizes her posting with the following:

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners.  For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq.  Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA;  as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law. 

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI;  there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.

• Print
• Comments
• Trackbacks
• Share Link

Attorney General Lori Swanson of Minnesota (“AG”) issued a press release reporting that Accretive Health, Inc. (“Accretive”), the defendant in an action filed by the AG in U.S. District Court alleging violations of HIPAA, HITECH, the Minnesota Health Records Act, and the Minnesota consumer protection laws, signed a Settlement Agreement, Release and Order on July 30, 2012 (“Settlement Agreement”). The Settlement Agreement recites:

[R]ecognizing that unique circumstances exist in Minnesota in light of the Attorney General’s Agreement with Minnesota charitable hospitals … Accretive Health … has decided to wind down its remaining work for Minnesota Clients …

(other than its continuation of prior technology licensing agreements). The Settlement Agreement also requires Accretive  to pay the AG nearly $2.5 million within 15 days of the Settlement Agreement’s effective date. The funds may be distributed to patients at the discretion of the AG, used for settlement administration, and/or remitted to the State Treasury.

Previous posts to this blog have reported on the AG’s action against Accretive, and on the need for entities or individuals sharing Protected Health Information (‘PHI”) to identify the roles, rights, and obligations of the parties. Michael Kline’s recent blog reported on a breach involving more than 500 individuals included on the list maintained by the U.S. Department of Health and Human Services (the “HHS List”), highlighting the summary provided by the Office of Civil Rights (“OCR”). Michael noted that the OCR summary implies that OCR expects a covered entity (“CE”) contracting with a business associate (“BA”) to verify that the BA is “not an independent” CE.  

Identifying the roles of the parties and the context in which PHI is disclosed is critical because different information-sharing standards apply depending on these roles and circumstances. For example, a business associate agreement (“BAA”) is not required for disclosures made within a CE for treatment, payment, or health care operations, nor is a BAA required for PHI to be disclosed from one CE to another CE where the recipient CE is a health care provider and the PHI is being disclosed for treatment purposes.

However, if the recipient CE is a health care provider, but is receiving the PHI as a BA (generally defined as a person or entity that performs functions or activities on behalf of another person that is a CE, which involves the use or disclosure of PHI), a BAA is required and it must, among other things, “establish the permitted and required uses and disclosures” of the PHI (though failure to execute a BAA will not absolve the BA of its responsibilities and liabilities under HIPAA and HITECH). In addition, while most uses and disclosures of PHI must be limited to the “minimum necessary,” current regulations do not restrict disclosures to or requests by a CE that is a health care provider to the “minimum necessary” when the disclosure or request is for treatment of a patient. A CE can use or disclose PHI for “payment” activities, but must comply with the “minimum necessary” standard.  If the “payment” activity involves disclosure to a consumer reporting agency, the CE may only disclose specified information (name/address, date of birth, social security number, payment history, account number, and the name and address of the CE). 

The Accretive case was triggered by an alleged PHI breach (the all-too-frequent loss of a laptop containing sensitive information about 23,500 patients treated at two hospitals that had contracted with Accretive), but the AG’s allegations were most scathing where they painted a picture of insidious and inappropriate sharing and use of PHI between hospitals and Accretive.  The AG alleged that Accretive’s “Quality and Total Cost of Care” services used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasse[d] and ha[d] access to a high volume of sensitive and personal information,” which it used, among other things, to create “per patient risk score” calculations, yet the hospitals’ patient authorization forms allegedly failed to disclose the scope or breadth of the PHI that the hospitals would share with Accretive.

In addition to this questionable and seemingly surreptitious “behind the scenes” PHI-sharing, Accretive staff allegedly interfaced directly with patients seeking treatment at the hospitals, often appearing to be members of the hospital’s staff.  Jessica Silver-Greenberg, reporting on the Settlement Agreement in the New York Times, describes allegations of aggressive collection tactics taken by Accretive that involved requesting payment from patients seeking emergency care. 

Whether a clear delineation of the role of Accretive as a BA and/or restriction of PHI disclosed to Accretive to the “minimum necessary” would have prevented the AG’s action is unclear. However, the Accretive case provides a good example of how the blurring of the CE and BA roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

• Print
• Comments
• Trackbacks
• Share Link

 Contributed by David Restaino, Esq.

 Last month a posting was made on this blog series regarding action being taken by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) relating to the fact that government audits for HIPAA compliance with privacy and security standards are finally beginning.  In this regard, OCR recently released a “sample” letter (the “Sample Letter”) that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for audit in 2012.  As OCR noted in the Sample Letter, recipients of actual letters will find that the audit process will begin within 30 to 90 calendar days from the date of the letter. 

OCR has hired KPMG LLP (“KPMG”), one of the “Big Four” certified public accounting firms, to conduct the audits in accordance with government auditing standards.  OCR's release of the Sample Letter likely represents its way of communicating to all regulated facilities that KPMG's actions will have the same force and effect as actions by OCR itself.  As a result, when KPMG requests detailed information at the beginning of and during the audit process, the covered entity under audit should assume that the KPMG request carries with it the full weight of the United States government. 

Release of the Sample Letter can also be viewed as OCR's effort to prepare the regulated community for the seriousness of the upcoming audits.  Perhaps more importantly, recipients of actual letters should use the 30 to 90 calendar day period to get prepared -- although facilities would be well advised to take appropriate steps to ensure compliance now rather than risk the adverse results that can occur from last-minute efforts to organize for an audit.  Those facilities that are unprepared will have a difficult time getting ready if KPMG comes knocking. 

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

• Print
• Comments
• Trackbacks
• Share Link

Contributed by David Restaino, Esq.

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which will increase the frequency and depth of government audits for HIPAA/HITECH compliance over the next year. This initiative may be in direct response to some critics that OCR was not doing sufficient monitoring of compliance with HIPAA/HITECH.

Preliminary Audit Procedures. Specifically, OCR awarded a contract worth over $9 million to KPMG, LLP for administration of the audits, which will begin shortly. The audits are required by the American Recovery and Reinvestment Act of 2009 (ARRA), which states at Section 13411, “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements … comply with such requirements.”   Details are sketchy regarding the process to identify the entities that will be audited. However, this much is known:

● The first step will be creation of audit protocols, followed by an undertaking of the actual audits.

● OCR will base its decision to audit upon risk.

● Audits will not be based upon complaints or actual reported privacy or security breaches. 

● KPMG will assist OCR in establishing the program to audit covered entities and business associates, and their compliance with the privacy and security rules.

● HHS staff will guide KPMG’s conduct during the audits.

● The audits will include site visits, interviews with leadership, documentation, an examination of operations, and an assessment of the consistency with which process is married to policy.

● Each audit will be followed by a report that will, among other things, address compliance efforts and corrective actions taken. 

Who Will Be Audited?  HHS reports that every covered entity and business associate is eligible to be audited. The initial round of recipients is expected to provide a broad assessment of a complex and diverse health care industry. Thus, the audit process is designed to have OCR audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered. OCR has also made it explicitly clear that covered entities must fully cooperate with the auditors – as obligated under the HIPAA “enforcement rule.” Finally, HHS reports that business associates will be included in future audits.

What can covered entities do now to be ready? For starters, they can make sure that all policies and procedures are in place now. For example, the HHS website states that covered entities will have only ten (10) days to produce documents; this is not much time if policies and procedures are not already in good order. 

Based on the above, the best way to get prepared is to make sure that compliance protocols are in place, and being followed, today. Stated differently, all covered entities and business associates should assess their compliance efforts, ensure that timely corrective actions are taken when necessary, and remain on their guard.  Documentation of the proactive assessment and corrective measures should also assist in demonstrating that the compliance efforts are effective.

(David Restaino, a partner at Fox Rothschild LLP in its Princeton, NJ office, has more than 20 years of experience representing clients in regulatory compliance and complex commercial litigation matters, including environmental and health care disputes, before multiple federal and state courts and agencies.)

• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Print
• Comments
• Trackbacks
• Share Link

Looking to buy or upgrade your scheduling, billing and collection software? Want to make sure what you’re buying meets the latest HIPAA electronic standard transaction criteria and is able to handle the new ICD-10 codes? Shopping for an Electronic Health Record (EHR) system that includes a practice management component and will qualify for HITECH subsidies? The American Medical Association and the Medical Group Management Association have published a toolkit that will walk you through the process.

The toolkit includes a directory of software vendors, a sample RFP, a sample vendor survey, a practice management system criteria checklist and a buyer’s guide to practice management systems. All but the buyer’s guide are only available to AMA or MGMA members.

The buyer’s guide suggests a five-step process:

• Establish an assessment team
• Analyze the patient and claims revenue cycle
• Identify software functionality and features
• Conduct a vendor survey and identify vendors you will consider
• Request and review formal proposals from selected vendors

This package may help physician practices make sense of the confusing world of practice management systems before they make a significant financial commitment.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment  (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as reported previously on this blog series, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH.  In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involved hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations. 

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrants further discussion in future blog entries.

• Print
• Comments
• Trackbacks
• Share Link

 As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information ("PHI") have been bringing to light new breaches of PHI security and direct intervention by state attorneys general with respect to such breaches.

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. Nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

Earlier blog postings reported on (i) a settlement by the Attorney General of Connecticut (the "Connecticut Settlement") of a lawsuit brought under HIPAA/HITECH for $250,000 against Health Net, Inc., and (ii) more recently, a lawsuit filed under Indiana state law for $300,000 against Wellpoint, Inc. by the Attorney General of Indiana (collectively, the "Earlier Actions").

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the "Vermont Attorney General") announced in a press release (the "Press Release") that it had settled a lawsuit (the "Vermont Action"), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, "Health Net"). The Vermont Action involves a number of the same issues to which the Connecticut Settlement against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.

The settlement in the Vermont Action (the "Vermont Settlement") would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees alleged to have been affected by the Connecticut Settlement.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, was, unlike the Earlier Actions, brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is "Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009."

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are often perceived by the public to be large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital, and what will be the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.

Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties.

• Print
• Comments
• Trackbacks
• Share Link

Early EHR adopters, mark your calendars:  CMS will begin accepting registration for participation in the Medicare EHR incentive program beginning January 3,  2010.   CMS will post a link to the registration process on its Registration and Attestation page on January 3.  The sooner you apply, the sooner you can begin to qualify for the $44,000 in additional Medicare funds per eligible professional which is being offered for meaningful use of electronic health records.

For the eligible professional incentives, the applications must be submitted on behalf of the professionals themselves, not their employers or practices, but the payments may be reassigned. 

In order to apply, eligible professionals will need:

• National Provider Identifier (NPI)
• National Plan and Provider Enumeration System (NPPES) ID and Password
• Payee Tax Identification Number (if you are reassigning your benefits)
• Payee National Provider Identifier (NPI)(if you are reassigning your benefits)

Eligible hospitals will need:

• CMS Identity and Access Management (I&A) User ID and Password
• CMS Certification Number (CCN)
• National Provider Identifier (NPI)
• Hospital Tax Identification Number

Applicants for the Medicare incentive must be enrolled in PECOS.

Of course, you must be using certified EHR technology, but you do not need to disclose which certified EHR system you are using until the attestation process.  The Certified Health IT Product List is available at http://www.healthit.hhs.gov/CHPL.

Attestation of meaningful use will begin in April, with payments slated to begin in May.   The provider must install and verify meaningful use of the certified software for at least 90 days in 2011 to qualify for the EHR incentive money. The 90 days of  “meaningful use of certified EHR software” must occur before the end of 2011.  February 29, 2012 is the last day for eligible professionals to register and attest to receive an Incentive Payment for 2011.

The Medicaid incentive program also opens on the same day, but CMS cautions that some states may not be ready to register applicants right away.   keep in mind that if your practice or entity qualifies for both programs, you should evaluate which one is more beneficial to your situation since you cannot participate in both.  Medicaid offers up to $63,750 per qualifying practitioner over six years.

Providers are only required to register once for the Medicare and Medicaid EHR Incentive Programs. However, they must successfully demonstrate that they have either adopted, implemented or upgraded (first participation year for Medicaid) or meaningfully used certified EHR technology each year in order to receive an incentive payment for that year.

For more information, see CMS's Path To Payment site.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients' medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice” (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee's laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53^rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting reported that Richard Blumenthal, as Attorney General of Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000. 

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”)  that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.” 

According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website.  However, the Attorney General alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach).  The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”

HIPAA/HITECH has a more objective standard than the term “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” WellPoint would clearly be well outside the 60-day limits for notification.  

It is not clear what led the Indiana Attorney General to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the above-mentioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that the Attorney General believed favor use of the state law.

In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

The virtual "ink" is barely dry on the July 13, 2010 final rule on Stage 1 Meaningful Use criteria, but the federally chartered Health IT Policy Committee is already beginning to talk about Stage 2.   Modern Healthcare reports in a September 17 article (registration required) that the advisory body met this week to review a schedule for implementing standards that will apply to eligibility for federal funding for users of electronic health records during fiscal years 2012-2013.  The meaningful use work-group's initial draft of Stage 2 criteria is anticipated to be presented to the full Committee by October 20 and released for public comment shortly afterwards.  The goal is to submit final recommendations to the Office of National Coordinator for Health Information Technology by the end of June,  2011.

While developing Stage 2 criteria, the Committee will also be reviewing provider feedback on the implementation of Stage 1 criteria, prompting Committee member Richard Chapman  to comment: 

"We're going to have to ride our bike and fix it at the same time here, which is, we're going to get feedback, but only so much of it we'll be able to be put into Phase 2.  Some will have to be staged later, even into (Stage) 3 or whenever we get there because I think we're going to find out there could be a showstopper along the way."

Providers will want to monitor these efforts carefully when selecting EHR vendors and designing systems and policies to ensure that their Stage 1 use can be expanded to include Stage 2 criteria when they kick in.

• Print
• Comments (1)
• Trackbacks
• Share Link

by Todd Rodriguez, Esquire

In July, the Centers for Medicare and Medicaid Services (CMS) released the much-anticipated final regulations that providers are required to meet in order to receive the Medicare incentives for adoption of a certified electronic health record system. In those regulations, In the final rule, CMS set forth 15 core elements which must be met in order to qualify for “meaningful use” of the EHR system.

Notwithstanding the regulations, the requirements are complex and many physicians and other providers have a host of questions regarding both the regulations and the incentive program. To address some of these questions, CMS has issued a number of Frequently Asked Questions (FAQs) on its website. To review the new EHR FAQs, physicians can click here and type the term “EHR” into the search window.

Crossposted from Fox Rothschild's Physician Law blog.

• Print
• Comments
• Trackbacks
• Share Link

The following is a chart summarizing the 15 "core" objectives which must be met, the menu from which 5 additional objectives must be selected, and the standards by which achievement of these objectives will be measured in order to qualify for EHR funding under the HITECH Act based on the final rules published on July 13, 2010:

• Print
• Comments
• Trackbacks
• Share Link

On July 13, 2010, the Department of Health and Human Services released a pair of final regulations (one from CMS, one from the Office of National Coordinator for HIT ) detailing the “meaningful use” criteria which will determine whether users of electronic health records will qualify for the government subsidies under the HITECH Act during the first two years of the program (2011-2012). The final rule modified the agency’s January 16, 2010 proposed rule and addressed issues raised in the over 2000 comments that proposal drew. The HITECH Act provides EHR funding over 5 years of up to $44,000 (through Medicare) and $63,750 (through Medicaid) per qualifying physician or other clinician, as well as additional funding for qualifying hospitals.

The agency responded to the numerous complaints that its earlier, all-or-nothing approach mandating 25 objectives (23 for hospitals) was unrealistic. Instead, the final proposal requires 15 “core” objectives and a menu of additional objectives EHR users can choose from to qualify for the financial help.

The New England Journal Of Medicine published a summary article by HHS insiders David Blumenthal, M.D., M.P.P., national coordinator for HIT, and Marilyn Tavenner, R.N., M.H.A., principal deputy administrator of CMS. They noted:

“In the original proposal, we identified a broad set of objectives, all of which would need to be met. This included 23 objectives for hospitals and 25 for clinicians. The DHHS received many comments that this approach was too demanding and inflexible, an all-or-nothing test that too few providers would be likely to pass.  In the final regulation, we have divided these elements into two groups: a set of core objectives that constitute an essential starting point for meaningful use of EHRs and a separate menu of additional important activities from which providers will choose several to implement in the first 2 years.

. . .

Core objectives comprise basic functions that enable EHRs to support improved health care. As a start, these include the tasks essential to creating any medical record, including the entry of basic data: patients’ vital signs and demographics, active medications and allergies, up-to-date problem lists of current and active diagnoses, and smoking status.

Other core objectives include using several software applications that begin to realize the true potential of EHRs to improve the safety, quality, and efficiency of care. These features help clinicians to make better clinical decisions — and avoid preventable errors. To qualify for incentive payments, clinicians must start employing such clinical decision support tools. They must also start using the capability that undergirds much of the value of EHRs: using records to enter clinical orders and, in particular, medication prescriptions. Only when providers enter orders electronically can the computer help improve decisions by applying clinical logic to those choices in light of all the recorded patient data. And to begin extending the benefits of EHRs to patients themselves, the meaningful use requirements will include providing patients with electronic versions of their health information.

In addition to the core elements, the rule creates a second group: a menu of 10 additional tasks, from which providers can choose any 5 to implement in 2011–2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.

For example, the menu includes capacities to perform drug-formulary checks, incorporate clinical laboratory results into EHRs, provide reminders to patients for needed care, identify and provide patient-specific health education resources, and employ EHRs to support the patient’s transitions between care settings or personnel.”

The AMA issued a press release which stated the association’s intent to carefully review the final rule to see if the requirements have been reduced to allow more flexibility than the proposed rule, as AMA urged. Noting that the looming cuts under the physician fee schedule have not yet been permanently fixed, the AMA said:

“Physicians recognize the potential for health IT and want to adopt new technologies, but costly EHR systems are out of reach for many physicians because of low Medicare payments and the prospect of steep cuts in December. Congress needs to repeal the flawed Medicare physician payment formula to help eliminate one major obstacle to physician adoption of new technologies.”

It may be an uphill battle to drag the healthcare industry into the 21^st century. The New York Times quoted HHS Secretary Kathleen Sebelius’ concern that "only 20 percent of doctors and 10 percent of hospitals use even basic electronic health records.”

The rule will be published in the Federal Register in the near future. An advance copy is available at http://www.ofr.gov/OFRUpload/OFRData/2010-17207_PI.pdf  and http://www.ofr.gov/OFRUpload/OFRData/2010-17210_PI.pdf 

HHS Fact Sheets are here: Electronic Health Records At A Glance; and CMS and ONC Final Regulations Define Meaningful Use And Set Standards For Electronic Health Record Incentive Program. The HHS press release is here. A technical fact sheet on ONC’s standards and certification criteria final rule is available at http://healthit.hhs.gov/standardsandcertification

• Print
• Comments
• Trackbacks
• Share Link

With a press conference featuring top officials including HHS Secretary Kathleen Sibelius, the Office of Civil Rights rolled out a 234-page Notice of Proposed Rulemaking on July 8, 2010. The full text is here. The agency described the proposed rulemaking as including significant modifications to the HIPAA Privacy, Security and Enforcement rules, as well as resources and activities to strengthen the privacy of health information and to help Americans understand their rights and resources available to safeguard their personal health information.   The notice will appear in the Federal Register on July 14, and comments will be received for 60 days thereafter. 

At the same time, HHS issued a statement on Privacy and Security entitled Building Trust in Health Information Exchange, listing the various initiatives it is pursuing. HHS stated that the proposed regulations released today would “expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today.”

Also announced today was a new HHS website for Health Data Privacy and Security Resources, http://www.hhs.gov/healthprivacy, and a revamped format for its online listing of breaches affecting more than 500 individuals .  HHS reports that such breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches.  Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.  

Next up on the HHS agenda  – the final “meaningful use” standards, which will clarify the minimum capabilities for the implementation of electronic medical records systems to qualify for federal subsidies beginning next year.

• Print
• Comments
• Trackbacks
• Share Link

With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.

• Print
• Comments
• Trackbacks
• Share Link

 The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act”  provides incentive payments for adoption and meaningful use of HIT and qualified EHRs.  CMS published a proposed rule defining "meaningful use" on December 30.  It's 566 double-spaced pages long, and can be found here:  http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.  

An eligible physician or other professional (“EP”) or hospital will be deemed to be a meaningful EHR user of technology certified by HHS if the user:

(1) demonstrates use of certified EHR technology in a meaningful manner;

(2) demonstrates to the satisfaction of the Secretary of HHS that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and

(3) using its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The measures include:

• Implement drug-drug, drug-allergy, drug-formulary checks.
• Input at least at least one diagnosis based on ICD-9-CM or SNOMED CTor an indication of none for 80% of all unique patients seen by the EP or admitted to an eligible hospital.
• Maintain active medication lists for 80% of patients seen or admitted.
• Record demographic info including preferred language; insurance type; gender; race; ethnicity and date of birth for 80% of patients seen or admitted
• Record blood pressure and BMI and plot the growth chart for children age 2 to 20 years old for 805 of patients seen or admitted;
• Record smoking status of 80% of patients age 13 or over;
• Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
• Implement five clinical decision support rules relevant to the relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
• Check insurance eligibility electronically for  80% of patients
• Submit 80% of claims electronically
• Provide summary of care record for at least 80% of transitions of care and referrals
• Use computerized provider order entry (CPOE) for 80% of orders.
• Transmit at least 75 percent of all permissible prescriptions electronically.
• Report clinical quality measures as required by HHS.
• Send electronic reminders to at least 50 percent of all unique patients seen by the EP that are 50 years of age and over.
• Provide requested electronic copies of patients’ health information within 48 hours of patient requests in 80% of cases.
• Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the EP for at least 10 percent of all unique patients seen by the EP.
• Provide clinical summaries to patients for each office visit for at least 80 percent of all office visits.

• Print
• Comments (1)
• Trackbacks
• Share Link

When I first reviewed the Matrix and other documents released by the HIT Policy Committee’s “Meaningful Use” Workgroup, my initial reaction was “When did defining ‘Meaningful Use’ of EHR morph into attempting to use EHRs to ‘meaningfully’ reform the entire healthcare delivery system.”?  More simply put, the Workgroup’s initial recommendations seemed to me to be over-ambitious.

The term "Meaningful EHR User" in ARRA (at Title IV, subtitle A, section 4104) is described as "an eligible professional" who meets the following criteria: 

1. demonstrates that he/she is using certified EHR technology in a "meaningful manner, which shall include the use of electronic prescribing";
2. demonstrates that he/she uses the certified EHR technology to be "connected, in a manner that provides... for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination"; and
3. submits information on selected "clinical quality measures".   

In my view, the first round of "Meaningful Use" requirements should be specific and reasonably achievable by healthcare providers. For example, perhaps the terms could require that the healthcare provider demonstrate how he/she uses electronic prescribing at least 75% of the time; or, how a provider records patient notes and medical encounter information in a certified EHR for no less than 75% of his/her new patient encounters.   

Interestingly, the National Coordinator for HIT decided to “send the workgroup back to work on another set [of recommendations]" for defining Meaningful Use soon after the Workgroup released its first set of recommendations. In the second go around, I think that many in the healthcare industry hope to see Meaningful Use criteria that are attainable by healthcare providers on a practical level. Otherwise, the entire premise of the HITECH Act providing incentives to increase EHR adoption could be thwarted. 

• Print
• Comments
• Trackbacks
• Share Link

As HITECH refocuses the health care industry’s attention on security, the role of National Institute of Standards and Technology (“NIST”) in developing standards for health information security will become more center stage.  

On May 18, 2009, Fox Rothschild LLP will present at the NIST and CMS Security Rule Conference in Gaithersburg, Maryland called: “Safeguarding Health Information:  Building Assurance Through HIPAA Security”.   Elizabeth Litten, Esq., a partner of Fox Rothschild’s Health Law Group, and Co-chair of its Government Relations practice group, will be presenting at the NIST/CMS Security Conference as part of a Panel Discussion on Assessments from the Organizational Perspective.   The panel will share its experiences with, and expectations for, audits, assessments, and compliance reviews, and provide strategies for greater assessment efficiencies.   For further information on the NIST/CMS Security Rule Conference, please visit the NIST website. 

For a copy of the Power Point presentation prepared by Elizabeth and Helen Oscislawski, Esq. for the NIST/CMS Security Rule Conference please visit our Blog again next week, or if you subscribe to our Blog a copy will be e-mailed to you directly. 

• Print
• Comments
• Trackbacks
• Share Link