The Stimulus Push for Electronic Health Records and Strengthened Privacy and Security
Electronic Health Record Incentives
A significant chunk of The American Recovery and Reinvestment Act of 2009 (ARRA), approximately $20 billion, is aimed at motivating health care providers to implement electronic health record (EHR) systems. The incentives will be paid in the form of increased Medicare and/or Medicaid payments. Medicare incentive payments will begin in 2011 and will be paid over four years for eligible hospitals and over five years for eligible health care professionals who can show "meaningful use" of a "certified EHR" system. The incentive program for hospitals is based on the "Medicare share" of a base payment amount of $2 Million, adjusted based on the hospital’s discharge data. The Medicare share takes into account the proportion of inpatient bed days that are paid by Medicare as well as an adjustment for charity care.
Hospitals and physicians who do not meet the requirements of meaningful use of certified EHRs by 2015 will be penalized through reduced Medicare payments. A significant hardship exception will be available for eligible hospitals until 2020 and for eligible professionals for up to five years.
There are three broad criteria defined in the ARRA for demonstrating that one is a meaningful EHR user: (1) meaningful use of certified EHR technology; (2) information exchange; and (3) reporting on measures using EHR. These criteria will be defined further as implementation of the new law moves forward. Meaningful users are hospitals or physician practices able to demonstrate that their EHR technology is connected in a way that improves the quality of health care through reported results in clinical quality and other measures selected by the Secretary of Health and Human Services. Meaningful EHR use includes e-prescribing and quality reporting, and may be demonstrated by attestation, survey response, appropriate claims, quality reporting, or other manners specified by the Secretary. A key aspect of meaningful use will be the interoperability of the EHR system, i.e., how well the system talks to other systems. "Certified EHR technology" will be technology that is certified by an independent body recognized by the secretary as meeting standards for such technology, to be established by the secretary by the end of 2009.
The ARRA provides for Medicaid incentive payments, but the details of exactly how Medicare and Medicaid payments will operate together remain unclear pending the adoption of specific regulations. Hospitals may receive additional federal aid if they participate in the U.S. Department of Health and Human Services’ Health Information Technology Extension Program, which is aimed at supporting and accelerating efforts to implement health care information technology in accordance with the standards, specifications and certification criteria to be established under the Health Information T echnology for Economic and Clinical Health Act component of the ARRA.
On June 1, the National Committee on Vital and Health Statistics (NCVHS) issued a report of observations on meaningful use of health information technology, stemming from testimony from health care providers and other stakeholders at recent public hearings on the issue of meaningful use. In its report, NCVHS stressed several common themes that were addressed by most of the stakeholders who testified. These included a focus on how EHR technology can be used effectively to achieve quality outcomes, health status improvement and cost controls rather than on the mere acquisition of EHR technology; the need for clear and predictable milestones for phased transition toward the ultimate goals of effective EHR technology and meaningful use of EHR; the need for EHRs to effectively support patient-centered care, care coordination and population/public health management; additional work needed to harmonize key standards for EHR; and the importance of addressing public trust issues by making privacy and security policies an integral part of meaningful use of EHR technology. In its observational report, NCVHS noted that there appeared to be an information gap with regard to how hospitals would achieve meaningful use of EHR technology. The report indicated that the stakeholder discussion focused on the use of EHRs by physicians and other eligible professionals, but that more information is needed to fully understand hospital EHR capacity and the functionality of EHRs in the hospital setting.
Some providers have questioned whether the incentives and penalties established by the ARRA will be enough to encourage everyone to jump on the EHR bandwagon, given the significant time, expense and effort involved in developing and implementing EHR systems. Certainly, providers who are already in the process of developing/adopting an EHR system will likely slow those projects somewhat until certification requirements and "meaningful use" are more clearly defined. The Health IT Policy and Health IT Standards Committees are expected to release recommendations on the definition of "meaningful use" within about a month and complete an initial set of standards by the end of this year.
In addition to the ARRA provisions encouraging health care providers to adopt EHR systems, a separate component known as the Health Information T echnology for Economic and Clinical Health Act (HITECH), is aimed at strengthening the privacy and security of all health records. HITECH’s requirements will significantly alter privacy and security compliance obligations of covered entities and business associates. There remains a good deal of uncertainty regarding the details of the privacy and security changes to come under HITECH, due to regulations that have yet to be developed. However, there are a number of significant changes included in HITECH that are clearly defined in the law and will alter the landscape of health care information privacy and security.
HITECH establishes new breach notification requirements applicable to covered entities and their business associates when breaches of unsecured PHI occur. Covered entities are required to notify individuals in writing if their PHI is disclosed, lost or otherwise compromised. In addition, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify the individuals whose unsecured PHI has been or is reasonably believed to have been breached. HITECH requires notifications to be made without unreasonable delay, within 60 calendar days after discovery of the breach. If the breach involves 500 or more individuals, the covered entity must also inform HHS and prominent media outlets serving the area in question. There are exceptions for cases in which: (1) the breach is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if the PHI was acquired, accessed or used in good faith and within the scope of employment or other professional relationship, and was not further accessed, used or disclosed; or (2) an inadvertent disclosure occurs by an individual authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, provided the PHI is not further accessed, used or disclosed without authorization.
On April 17, 2009, HHS issued a guidance specifying the technologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals. The guidance was developed through a joint effort by the HHS Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services. It relates to two breach notification regulations to be adopted pursuant to HITECH: one to be issued by HHS for covered entities and business associates under HIPAA (discussed above); another to be issued by the Federal Trade Commission for vendors of personal health records and other non-HIPAA-covered entities. If the entities subject to regulation apply the technologies and methodologies specified in the guidance to secure information, they will not have to make the notifications required by the regulations in the event the information is breached. In other words, use of the methodologies and technologies specified in the guidance to secure PHI through encryption or destruction essentially creates a safe harbor for covered entities and their business associates, eliminating the need to provide the required breach notifications that apply only to breaches of unsecured PHI. The guidance will apply to breaches 30 days after publication of the interim final rules. The requirements for methodologies and technologies to render PHI unusable, unreadable or indecipherable eventually will be adopted as a formal rule following HHS’s consideration of comments regarding the initial guidance.
Another major change under HITECH is that business associates will be directly subject to HIPAA Privacy and Security Rules, which means that starting February 17, 2010 they must implement the administrative, physical and technical safeguards of the Security Rule, and they may use and disclose PHI only as allowed by the Privacy Rule. Business associates will be subject to penalties for violating the HIPAA Privacy and Security Rules. Currently, business associates are contractually bound to comply with applicable HIPAA privacy and security measures pursuant to business associate agreements with the covered entities with which they work. However, under HITECH, business associates will be statutorily required to comply with the HIPAA Privacy and Security Rules and will be subject to penalties for failing to do so.
Additional changes under HITECH include the following:
- Individuals with sensitive health conditions they want to keep confidential, even from their insurance carriers, can request that disclosure of information regarding their health be kept confidential, provided the patient is willing to pay for care out of pocket. Covered entities must comply with requested restrictions of treatment, payment and operations (TPO) disclosures to health plans and not report the information at issue if it is not related to treatment and the patient paid in full, out of pocket.
- A covered entity using or disclosing PHI, or requesting PHI from another covered entity, must limit "to the extent practicable" disclosure to the limited data set as defined under HIPAA, or, if more information is needed, to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. A limited data set is PHI from which facial identifiers have been removed, such as names, addresses, Social Security numbers, etc. The forthcoming guidance from HHS (expected by August 2010) on the details of this new disclosure threshold will determine the significance of this new requirement.
- Covered entities must be able to account for TPO disclosures of PHI used or maintained in an EHR system for three years prior to the date of a request, in electronic form.
- A patient will receive requested PHI in electronic format if the covered entity uses or maintains an EHR. The patient may designate another person to receive the transmittal without an authorization. The covered entity may only charge a fee commensurate with its labor costs providing the PHI.
- Covered entities and business associates are expressly prohibited from selling electronic PHI without valid authorization, except under certain conditions.
- More stringent enforcement measures, including tiered penalties for HIPAA violations based upon an offender’s level of knowledge and actions taken to correct the violation; mandatory penalties for HIPAA violations due to "willful neglect"; and required formal HHS investigation of any complaints initially determined to involve willful neglect.
- State attorneys general may bring state actions to enforce HIPAA, seeking statutory damages and attorneys’ fees for violations. Previously, such enforcement was limited to the Office of Civil Rights within HHS.
The privacy and security changes required under HITECH provide a good opportunity for hospitals and other health care providers to dust off their HIPAA policies and procedures and re-examine them to ensure they effectively address today’s privacy and security concerns and challenges. Providers who already have a comprehensive HIPAA compliance plan will have a good foundation on which to build for purposes of meeting the new HITECH requirements. Even though business associates will now be required by statute to comply with the HIPAA Privacy and Security Rules, business associate agreements are still required, so hospitals and other covered entities will need to modify their existing business associate agreements to address the new compliance obligations highlighted above.
As discussed above, a number of significant health care information changes are on the horizon in the areas of electronic health records and stepped-up privacy and security, but compliance planning will depend in large part upon details that have yet to be determined. Stay tuned to Corridors for future updates on meaningful use of certified EHRs and new health information privacy and security requirements under HITECH.