David G. Schoolcraft
Ogden Murphy Wallace, PLLC
dschoolcraft@omwlaw.com

Part I – Federal Incentive Payments for Health IT
◦ Up to $36.5Billion in federal stimulus funding
◦ Unprecedented opportunity to advance “Health IT”
◦ Complex payment methodologies and some open issues

Part II – Significant Changes to HIPAA
◦
◦
◦
◦

Data Breach Notification Rules
Business Associate Agreements
Penalties & Enforcement
Accounting of Disclosures
Part III – Action Plan for 2009

Eligible Hospitals
◦ Medicare
 PPS factors: discharges, “Medicare Share”
 CAH factors: costs w/o depreciation, “Medicare Share”
◦ Medicaid
 10% of hospital’s “patient volume” (to be defined)
 No difference in payment methodology for PPS and CAH



Eligible Physicians (Medicare or Medicaid)
HIE Planning and Development Grants
EHR Adoption Loan Program

Washington Grace Hospital = 25 beds, Critical Access Hospital
◦ 2 Employed Physicians – Medicare ($44,000)
Estimates based on certain factual assumptions.
Subject to revision under final HHS regulations.

Washington Grace Hospital = 80 beds
◦ 4 Employed Physicians – Medicare ($44,000)
Estimates based on certain factual assumptions.
Subject to revision under final HHS regulations.
Incentives for Adoption and
“Meaningful Use” of “Certified
EHR Technology”
▶
▶
▶
▶
Demonstrate to the “satisfaction of the Secretary”
use of certified EHR in a meaningful manner
Certified EHR technology must be connected to
provide for the electronic exchange of health
information to improve the quality of care
Hospitals to submit information on clinical quality
and other measures as selected by the Secretary
More stringent measures over time




“Certified EHR technology” is a qualified electronic
health record meeting standards to be defined
Office of the National Coordinator for Health
Information Technology (“ONC”) to develop certification
program
Certification Commission for Healthcare Information
Technology (“CCHIT”) may be involved along with the
National Institute of Standards and Technology (“NIST”)
December 31, 2009 deadline for initial standards,
implementation specs and certification criteria

Fiscal year 2011-2015 (Oct. 2010)
◦ Phased Transition Schedule After 2013


HHS will determine how hospitals shall demonstrate
meaningful use (attestation, survey, etc.)
Amount
($2 MM + $200 (Discharges 1,150th - 23,000th)) * Medicare Share * Transition Factor
◦ Medicare Share = Medicare portion of inpatient days
adjusted upward for charity care.
◦ Transition Factor - Reduction by 25% per year for 4 years


Medicare incentives are paid on a transition
schedule.
After FY 2015, if a hospital is not a meaningful EHR
user then penalties begin
Meaningful FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 FY 2016 FY 2017
EHR User
FY 2011
100%
75%
50%
25%
FY 2012
100%
75%
50%
25%
FY 2013
100%
75%
50%
25%
FY 2014
75%
50%
25%
FY 2015
50%
25%
After
33.33% 66.66%
100%
FY 2015

Washington Grace Hospital – 80 beds
Total Discharges
4,500
Medicare Patients
2,500
Medicare Inpatient Days
11,000
Total Inpatient Days
17,000
Total Hospital Charges
Total Charity Care
$ 190,000,000
Medicare
Share
65%
$ 2,000,000
Estimate of Medicare Incentive Payments*
2011
2012
2013
2014
$1,811,551
$1,358,663
$905,776
$452,888
Total
$4,075,990
*Estimate based upon existing statute in advance of HHS rule making
.



If a meaningful EHR user by 2015, CAH may expense certain
EHR costs in one year for cost reporting purposes (nondepreciated basis) and certain costs from prior periods
Calculation uses Medicare Share amount + 20%
Equation:
101% * Reasonable Cost of EHR System * (Medicare Share + 20%)

If CAH is not a meaningful user by 2015 or thereafter,
percentage reimbursement will be reduced to 100.66% in
2015, 100.33% in 2016 and 100% in 2017

Washington Grace CAH – 25 beds
Total Discharges
170
Medicare Patients
110
Medicare Inpatient Days
260
Total Inpatient Days
350
Total Hospital Charges
Medicare Share
75% + 20% = 95%
(20% increase for CAH)
$ 8,500,000
Total Charity Care
$120,000
Annual Cost of EHR System
$350,000
Estimate of Incentive Payments*
2011
2012
2013
$337,060
$337,060
$337,060
2014
$337,060
Assumes costs remain the
same over all four years
Total
$1,348,242
*Estimate based upon existing statute in advance of HHS rule making.

CAH’s who have not implemented EHR’s by 2015
may be subject to reductions

10% of “Patient Volume” on Medical Assistance
◦ To be defined by Secretary of HHS
◦ Inpatient vs. outpatient volumes



States allocate the money
Year 1 – Demonstrate efforts to adopt, implement or
upgrade EHR system
Years 2-6 – Demonstrate “meaningful use”

Washington Grace CAH – 25 beds
Total Discharges
170
Medicaid Patients
30
Medicaid Patient Volume
17%
Avg Rate of Growth
6.73%
Medicaid Inpatient Days
35
Total Inpatient Days
350
Total Hospital Charges
$ 8,500,000
Total Charity Care
$ 120,000
2011
$183,004
Medicaid
Share
10%
Incentive Payments
2012
2013
$137,427
$91,742
Total
$458,109
2014
$45,937

Physician incentive payments are 75% of Medicare allowed
charges
◦ Penalties – reduction in physician fee schedule

10% increase in incentives if physician practices in a
designated health professional shortage area
Meaningful FY 2011 FY 2012 FY 2013 FY 2014
EHR User
$ 18,000 $ 12,000 $ 8,000 $ 4,000
FY 2011
$ 18,000 $ 12,000 $ 8,000
FY 2012
$ 15,000 $ 12,000
FY 2013
$ 12,000
FY 2014
After
FY 2015
FY 2015 FY 2016 FY 2017
$
$
$
$
2,000
4,000 $ 2,000
8,000 $ 4,000
8,000 $ 4,000
1%
2%
Total
$
$
$
$
3%
44,000
44,000
39,000
24,000

Hospitals may be able to collect incentive
payments for certain employed physicians, but
note that “hospital-based” physicians are excluded
Excluded Physicians
Pathologists
Anesthesiologists
Emergency Physicians
New Compliance Obligations
and
More Regulations to Come
Feb.
2009
Sept.
2009
Feb.
2010
Increased
penalties
Enforcement by States
Attorney General
Data Breach Notification Requirements
Application to
Business
Associates
Marketing Restrictions
Jan.
2011
Accounting of disclosures for adopters of EHR
after 1/1/2009
Jan.
2014
Accounting of disclosures for EHR adopters
before 1/1/2009




Requires that covered entities notify patients of
any unauthorized acquisition, access, use, or
disclosure of “unsecured” PHI
Date of discovery – first day breach was known or
should have been known
Notice within 60 days of discovery
If+500, then notice to media and HHS




Recent HHS Guidance
Reference to NIST Publication 800-100
Internal review and risk analysis
Data encryption technologies


Currently – Business Associates not directly
regulated by HIPAA
Application of HIPAA Security Requirements
◦
◦
◦
◦


Administrative Safeguards
Physician Safeguards
Technical Safeguards
Documentation Requirements
Requirement to notify Hospital if there is a breach
Open question regarding mandatory revisions to
Business Associate Agreements





Expansion of criminal and civil penalties
Tiered penalties tied to violator’s level of intent
Periodic audits by HHS
Victims may receive percentage of civil penalties
State Attorney General may bring an action
provided an action by HHS is not pending



Eliminates existing exception limiting accounting for
disclosures other than treatment, payment and health care
operations
Will require significant operational changes, but may be
aided by improved IT systems
Staggered effective dates:
EHR Acquired
Effective Date
Before 1/1/2009
1/1/2014
After 1/1/2009
1/1/2011



Prepare estimate of health IT incentive funds
available for your facility
Analyze Medicare and Medicaid incentive
payments for hospitals (PPS/CAH) and eligible
physicians
Monitor HHS, ONC, CCHIT, NIST for development
of standards for “certified EHRs” and “meaningful
use”




Develop data breach prevention and response plan
Assess data security in light of new federal standards
Implement additional data security measures deemed
necessary and appropriate following risk analysis
Develop reporting and communications plan in
conjunction with IT service providers:
◦ Internal reporting and incident review
◦ Required external communications (patients, media,
government)
◦ Methods to address follow up inquiries from patients and/or
media


Careful review of information technology
transactions– from due diligence during system
selection through contracting
Ensure that all information technology
transactions are HITECH-Ready
◦ Vendor/service provider commitments regarding data
security and accounting of disclosure requirements
◦ Updated Business Associate Agreement
◦ Functionality necessary to obtain or maintain “certified
EHR” status and to facilitate “meaningful use”
David G. Schoolcraft
dschoolcraft@omwlaw.com
206.447.7211