South Carolina Healthcare Financial Management Association

advertisement
South Carolina Healthcare
Financial
Management Association
Legal Implications of HIT: Practical Tips for
Compliance and Vendor Contracting
June 1, 2011
Mark L. Bender, JD
(803) 253-8212
mbender@nexsenpruet.com
Jeanne M. Born, RN, JD
(803) 540-2038
jborn@nexsenpruet.com
Nexsen Pruet, LLC
http://www/nexsenpruet.com
HIPAA/HITECH
• Administrative Simplification provisions of the
Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”)
• American Recovery and Reinvestment Act of
2009
– Health Information Technology for Economic and
Clinical Health Act of 2009 (“HITECH”);
• Division A, Title VIII, Subtitle D – Privacy
• Division B, Title IV – Medicare/Medicaid Incentives
• Assumptions: I will assume that you all speak
“HIPAA” & “HITECH”
HIPAA/HITECH
• HITECH made multiple changes in the existing HIPAA
Statutes, Privacy Standards and Security Standards
that directly affect covered entities, business
associates and others.
• HITECH also provides for economic incentives to
encourage the implementation of EHRS for hospitals
and other “eligible providers.”
• This presentation is intended to be a high-level
overview of some, not all, of the legal issues that
arise out of the changes effected by HITECH and the
regulations & guidance published pursuant to
HITECH (to date) and implementing HIT.
Overview
• Legal & compliance issues with
implementing the HITECH changes in the
Privacy and Security regulations.
• Legal & compliance issues with
implementing the Medicare & Medicaid
Incentive Program meaningful use
regulations.
• Additional legal issues in HIT implementation
including:
• Practical tips for EHR system contracting.
Proposed Regulations
• July 14, 2010: Notice of Proposed
Rulemaking: Modifications of the HIPAA
Privacy, Security, and Enforcement Rules
Under HITECH (the “NPRM”)
• Purpose: To implement several provisions of
HITECH and broaden individual privacy
rights.
• Still no final rule.
• A copy of the NPRM is at the following
website:
http://edocet.access.gpo.gov/2010/201016718.htm
July 14, 2010 NPRM
• The July 14 NPRM implements the HITECH provisions,
which were to be effective February 17, 2010.
• However . . .
• The NPRM states the following: “We note that the final
rule will not take effect until after most of the
provisions of the HITECH Act became effective on
February 18, 2010. We recognize that it will be difficult
for covered entities and business associates to comply
with the statutory provisions until after we have
finalized our changes to the HIPAA Rules. In addition,
we recognize that covered entities and business
associates will need some time beyond the effective
date of the final rule to come into compliance with the
final rule’s provisions. In light of these considerations,
we intend to provide covered entities and business
associates with 180 days beyond the effective date of
the final rule to come into compliance with most of the
rule’s provisions.” 75 F.R. 40868, 40871.
July 14, 2010 NPRM
• March 15, 2010 on the OCR website:
http://www.hhs.gov/ocr/privacy/hipaa/understandi
ng/coveredentities/hitechblurb.html
– “Although the effective date (February 17, 2010)
for many of these HITECH Act provisions has
passed, the NPRM, and the final rule that will
follow, provide specific information regarding the
expected date of compliance and enforcement of
these new requirements.”
• Upshot? While this was a “stay of execution” we
highly recommend that you go forward with taking
steps toward compliance – both Covered Entities
and Business Associates.
Business Associates Subject to
Security Provisions
• Section 13401(a) provides that certain Security
Standard provisions apply to Business Associates
(“BA”) in the same manner as Covered Entities
(“CE”):
– 45 CFR §164.308 – Administrative Safeguards
– 45 CFR §164.310 – Physical Safeguards
– 45 CFR §164.312 – Technical Safeguards
– 45 CFR §164.316 – Policies and procedures
and documentation requirements
– The additional requirements of HITECH that
relate to security and that are made
applicable with respect to CEs shall also be
applicable to BAs.
• And shall be incorporated into the BA
Agreement (“BAA”) between the BA and the CE.
Business Associates Subject to
Security Provisions: NPRM
• Accountants are business associates if
the accountant provides accounting
services on behalf of a covered entity
and the accountant uses PHI (includes
payment information) to provide those
services.
• Also adds obligations for BAs to pass on
BA obligations to subcontractors.
Section 13401(c): Guidance on
Security Rule Risk Analysis
Requirements
• On July 14, 2010, HHS published guidance on
compliance with risk analysis requirements
under the security rule:
• http://www.hhs.gov/ocr/privacy/hipaa/adm
inistrative/securityrule/rafinalguidancepdf.p
df
• Very useful for CEs and BAs.
• Will be updated after the final HITECH
implementing regulations are published.
• A risk analysis (conduct or review) is also one
of the required measures in the meaningful
use regulations.
Section 13404: Application of Privacy
Provisions and Penalties to BAs
• (a) Provides that the following privacy provisions apply
directly to BAs:
– 45 C.F.R. §§ 164.502(e) and 164.504(e) (Re: BAAs)
– The additional provisions in HITECH that relate to privacy that
apply to CEs also apply to BAs.
– NPRM broadly includes BAs in §§ 164.502 and 164.504(e).
– NPRM includes new provision on subcontractors of BAs.
• (b) Provides that a BA must take steps to cure a breach
of the BAA by the CE, terminate the BAA, or report to
DHHS if the CE violates the BAA (“Snitch provision”).
• (c) Provides that if a BA violates (a) or (b), then the BA
is subject to the HIPAA Statutory civil and criminal
penalties (42 U.S.C. §§1320d-5 & 1320d-6).
Civil and Criminal Provisions of
HIPAA apply to BAs
• Section 13401(b) provides that if a BA
violates any of the Security provisions
in Section 13401(a), the civil and
criminal provisions of the HIPAA statute
apply to the BA in the same manner as
a CE.
• Significant for BAs: Previously, the
only recourse against a BA was an
action under the BAA.
•
•
•
•
•
•
•
•
•
Criminal Penalties:
42 U.S.C. §1320d-6
(a) A person who knowingly and in violation of this part-(1) uses or causes to be used a unique health identifier;
(2) obtains IIHI relating to an individual; or
(3) discloses IIHI to another person, shall be punished as
provided in subsection (b) of this section.
(b) Penalties
A person described in subsection (a) of this section shall-(1) be fined not more than $50,000, imprisoned not more
than 1 year, or both;
(2) if the offense is committed under false pretenses, be
fined not more than $100,000, imprisoned not more than 5
years, or both; and
(3) if the offense is committed with intent to sell, transfer,
or use IIHI for commercial advantage, personal gain, or
malicious harm, be fined not more than $250,000,
imprisoned not more than 10 years, or both.
Notification of Breach:
Section 13402
• A CE that accesses, maintains, retains,
modifies, records, stores, destroys, or
otherwise holds, uses or discloses unsecured
protected health information shall, in the
case of a breach, notify the individual whose
unsecured protected health information has
been or is reasonably believed by the CE to
have been accessed, acquired, or disclosed
as a result of such breach.
• BAs shall notify the CE of such breaches.
Breach: Section 13400(1)
• (A) IN GENERAL.—The term ‘‘breach’’
means the unauthorized acquisition,
access, use, or disclosure of protected
health information (“PHI”) which
compromises the security or privacy of such
information, except where an unauthorized
person to whom such information is
disclosed would not reasonably have been
able to retain such information.
Breach: Section 13400(1)
• (B) EXCEPTIONS.—The term ‘‘breach’’ does not include—
• (i) any unintentional acquisition, access, or use of PHI by an
employee or individual acting under the authority of a CE or
BA if—
• (I) such acquisition, access, or use was made in good faith
and within the course and scope of the employment or
other professional relationship of such employee or
individual, respectively, with the CE or BA; and
• (II) such information is not further acquired, accessed,
used, or disclosed by any person; OR
• (ii) any inadvertent disclosure from an individual who is
otherwise authorized to access PHI at a facility operated by
a CE or BA to another similarly situated individual at same
facility; and
• (iii) any such information received as a result of such
disclosure is not further acquired, accessed, used, or
disclosed without authorization by any person.
Definition of Breach
• Published the interim final rule on August 24, 2009:
45 C.F.R. §§164.400 – 164.414.
• Modified the definition of breach . . .
• Added a “harm” standard by defining “compromises
the security or privacy of [protected health]
information” as follows:
– Poses a significant risk of financial reputational
or other harm to the individual.
• Senator Waxman did not like this change and
informed Secretary Sebilius by letter dated October
1, 2009.
• This was not addressed in the NPRM.
Status of Breach Notification
Interim Final Rule & Final Rule
• Interim Final Breach Notification Rule can be
found at:
http://edocket.access.gpo.gov/2009/pdf/E9
-20169.pdf
• A final breach rule was submitted to the OMB
in late July of 2010, but it was withdrawn.
• http://www.hhs.gov/ocr/privacy/hipaa/adm
inistrative/breachnotificationrule/finalruleu
pdate.html
• Upshot: the interim final rule stands. Stay
tuned.
Unsecured PHI:
Section 13402(h)
• Unsecured Protected Health Information
(“Unsecured PHI”): PHI that is not secured
by a technology standard that renders PHI
unusable unreadable, or indecipherable to
unauthorized individuals and is developed or
endorsed by a standards developing
organization that is accredited by the
American National Standards Institute.
• Guidance published April 17, 2009.
Notification of Breach
• Guidance published April 17, 2009 provides that the
technologies and methodologies that render PHI
unusable, unreadable, or indecipherable to
unauthorized individuals are:
– Electronic PHI that has been encrypted
• Data at rest – NIST Special Publication 800-111
• Data in motion – FIPS 140-2 (Includes NIST Special
Publications 800-52, 800-77 or 800-113)
– Media on which PHI is stored or recorded has been
destroyed:
• Paper, film or hard copy: shredded or destroyed such
that it cannot be reconstructed
• Electronic media: cleared or purged consistent with
NIST Special Publication 800-88
• FIPS: www.itl.nist.gov/fipspubs/index.htm
• NIST: www.nist.gov/
Notification of Breach
• Notice must be made within 60 days of when the
CE knows or should have reasonably known of the
breach.
• Individuals: notice is provided in writing by first
class mail or by e-mail if the individual provided
a preference.
• If contact information is out of date (including 10
or more such individuals), post a toll free number
on the CE’s website where individuals can learn if
their unsecured PHI has been breached.
• Regulations add provisions for deceased
individuals and when contact information is
insufficient or out of date:
– Fewer than 10: alternative form of written notice,
telephone or other means
– 10 or greater: conspicuous posting for 90 days on CE’s
webpage or in major broadcast media AND contact
information.
Notification of Breach
• If notification is urgent because of possible misuse, may
telephone the individual(s)
• If 500 or more individuals are involved, notice must be
provided to prominent media outlets.
• Notice must be provided to the Secretary of DHHS;
– if 500 or more individuals are involved, this notice
must be given immediately
– If less that 500, the CE may keep and log and
disclose to the Secretary annually.
• The Secretary of DHHS will post the identities of the
CEs involved in breaches where more than 500
individuals are involved.
• See the OCR posting (225 recorded breaches >500 to
date) at
http://www.hhs.gov/ocr/privacy/hipaa/administrative
/breachnotificationrule/breachtool.html
Notification of Breach
• Breach notification webpage:
http://www.hhs.gov/ocr/privacy/hipaa/adm
inistrative/breachnotificationrule/index.htm
l
• Guidance for notifying Secretary of
breaches:
http://www.hhs.gov/ocr/privacy/hipaa/adm
inistrative/breachnotificationrule/brinstructi
on.html
– Submit Notice of a Breach Affecting 500 or More
Individuals
– Submit Notice of a Breach Affecting Fewer than
500 Individuals
Notification of Breach
• Content of notice:
– Brief description of what happened (include date
of breach and date of discovery)
– A description of the types of Unsecured PHI
involved in the breach
– The steps that individuals should take to protect
themselves from potential harm
– A brief description of what the CE is doing to
investigate, mitigate losses and protect against
further breaches
– Contact information (toll-free telephone number,
an e-mail address, web site, or postal address)
Notification of Breach
• Notice can be delayed if necessary if
law enforcement determines that
notice:
– Would impede a criminal investigation
– Cause damage to national security
Section 13405(a): Restrictions
• Provides that a CE must comply with a
request for a restriction (45 C.F.R.
§164.522(a)(1)(i)(A)) in the use or
disclosure of PHI if the purpose of the use
or disclosure is NOT treatment and if
payment is out of pocket in full.
• Upshot: Amend your HIPAA policies and
procedures and your Notice of Privacy
Practices to add this requirement and
flag your PHI if such a restriction is
requested.
• NPRM implements this provision.
Section 13405(b): Disclosures
Limited: Minimum Necessary
• (b)(1) A CE will be in compliance with the minimum
necessary standard (45 C.F.R. §164.502(b)) if the CE
uses, discloses or requests only a limited data set
(45 C.F.R. §514(e)(2)) unless the limited data set is
not sufficient, then the minimum necessary PHI to
accomplish the purpose may be disclosed.
• DHHS is to publish guidance on what constitutes
“minimum necessary” within 18 months of, February
17, 2009, the publication of HITECH. Interestingly,
the Notice of Proposed Regulations did not define
the “minimum necessary standard.”
• Publication was to be made by August 17, 2010.
• No guidance published as yet.
• Upshot? Guidance will affect multiple
policies/procedures and likely business practices as
well. Be on the lookout!
Section 13405(c): Accounting
of Disclosures
• (c) If a CE maintains an EHR with respect to PHI,
then the accounting of disclosures includes
disclosures for treatment, payment and health
care operations (“TPO”), but
• The accounting may be requested for only the
prior three (3) years.
• DHHS was to promulgate regulations within 6
months after DHHS adopts standards on
accounting for disclosures for TPO in Section
3002(b)(2)(B)(iv) of HITECH.
• The proposed date for accounting of disclosures
was January 11, 2011.
Section 13405(c): Accounting of
Disclosures
• On May 3, 2010, DHHS published a “request for
information” asking for information re:
– Interests of individuals as to disclosures for TPO
through an EHR;
– The administrative burden on CEs and Bas;
– Other information to help rulemaking.
• Comment period ended May 18, 2010.
• The NPRM was published in the Federal Register May 31,
2011:
• See: http://www.gpo.gov/fdsys/pkg/FR-2011-0531/pdf/2011-13297.pdf
Section 13405(c): Accounting of
Disclosures: NPRM
• Divided into 2 rights: Applies to CEs and BAs
• Right to an accounting (paper & EHR) – 3year period
• Right to an access report (EHR only) – 3year period
– Includes who has accessed the individual’s E-PHI held by
a CE or BA.
– Does not distinguish between “uses” and “disclosures,”
and thus, would apply when any person accesses an
electronic designated record set, whether that person is
a member of the workforce or a person outside the CE.
– identifies the date, time, and name of the person (or
name of the entity if the person’s name is unavailable)
who accessed the information, a description of the PHI
that was accessed; and
– the user’s action, but only to the extent that such
information is available.
– Right to an access report must be added to the NPP.
Section 13405(c): Accounting of
Disclosures: NPRM
•
Exempts accounting of impermissible disclosures
that have been reported to the individual as a
breach.
Disclosures included in the accounting:
•
–
–
–
–
–
–
For public health activities except disclosures to report
child abuse
For judicial and administrative proceedings
For law enforcement purposes
To avert a serious threat to health or safety
For military and veterans activities, the Department of
State’s medical suitability determinations, and
government programs providing public benefits
For workers’ compensation
Section 13405(c): Accounting of
Disclosures: NPRM
• Disclosures to carry out treatment, payment
and health care operations as provided in
§164.506 would continue to be exempt for
paper records.
• An individual would be able to obtain
information (such as the name of the person
accessing the information) for all access to
E-PHI stored in a designated record set for
purposes of treatment, payment and health
care operations.
Section 13405(c): Accounting of
Disclosures: NPRM
• Excludes from the ACCOUNTING
– disclosures about victims of abuse, neglect, or domestic violence
under § 164.512(c);
– disclosures for health oversight activities under § 164.512(d);
– disclosures for research purposes under § 164.512(i);
– disclosures about decedents to coroners and medical
– examiners, funeral directors, and for cadaveric organ, eye, or
tissue donation purposes under § 164.512(g) and (h);
– disclosures for protective services for the President and
– others under § 164.512(k)(3); and
– most disclosures that are required by law (including disclosures to
the Secretary to enforce the HIPAA Administrative Simplification
Rules)
• But, the forgoing is to be available in the ACCESS REPORT to
the extent these disclosures are made through the EHR.
Section 13405(c): Accounting of
Disclosures: NPRM
•
Content of the accounting:
–
–
–
–
The date, or approximate date or period of time
during which the disclosure occurred which, at a
minimum, shall include the month and year or a
description of when the disclosure occurred from
which an individual can readily determine the
month and year of the disclosure;
The name of the entity or person who received the
PHI and, if known, the address of such entity or
person
Brief description of the type of PHI disclosed
Brief description of the purpose of the disclosure
Section 13405(c): Accounting of
Disclosures: NPRM
•
Provision of the Accounting
–
CE must act on the individual’s request for an
accounting no later than 30 days after receipt of
such request
–
If the CE is unable to provide the accounting within
that time, the CE may extend the time by no more
than 30 days provided that (1) the CE provides a
written statement of the reason for the delay and
the date by which the CE will provide the
accounting and (2) the CE may have only 1 such
extension
–
CE must provide the accounting in the form and
format requested by the individual (there are a few
exceptions)
–
CE must provide the first accounting to an
individual in any 12-month period without charge
Section 13405(c): Accounting of
Disclosures: NPRM
•
Documentation of the Accounting:
–
–
CE or BA must retain the information required
to be included in an accounting under this
section for three years from the date of
disclosure
CE must document and retain the following:
•
•
A copy of the written accounting that is provided to
the individual
Titles of the persons or offices responsible for
receiving and processing requests for an accounting
by individuals
Section 13405(c): Accounting of
Disclosures: NPRM
•
Content of the Access Report: (likened to an audit
log – as required under the Security Rule)
All disclosures AND USES of E-PHI in the
designated record set (not limited to uses and
disclosures made through the EHR).
CE must provide the individual with an access
report that includes the following:
•
•
–
•
Date of access; time of access; name of natural person,
description of what information was accessed;
description of action by the user.
CE shall provide the individual with the option to
limit the access report to a specific date, time
period, or person.
Section 13405(c): Accounting of
Disclosures: NPRM
•
Provision of the Access Report:
–
–
–
CE must act on the individual’s request for an
access report no later than 30 days after
receipt.
CE must provide the individual with the access
report in a machine readable or other
electronic form and format requested by the
individual, if it is readily producible in such
form and format.
CE must provide the first access report to an
individual in any 12-month period without
charge.
Section 13405(c): Accounting of
Disclosures: NPRM
• Documentation of the Access Report:
• CE or BA must retain the information
required to be included in an access
report under this section for three
years from the date of the use or
disclosure.
Section 13405(c): Accounting of
Disclosures (cont’d)
• In processing a request for an
accounting, the CE may elect:
– An accounting of disclosures of
the CE and BAs; or
– An accounting of disclosures of
the CE and a list of BAs the
individual can contact with
contact information.
Section 13405(d): Prohibition on the Sale
of EHRs or PHI
• A CE or BA shall NOT directly or indirectly receive
remuneration in exchange for any PHI of an individual
unless the CE obtains a valid HIPAA authorization that
includes a specification of whether the PHI can be
further exchanged for remuneration by the receiver.
• The prohibition does not apply to the following
disclosures:
– Public health activities (45 C.F.R. §164.512(b))
– Research purposes (45 C.F.R. §164.512(i)) and the
price charged reflects the cost of preparation and
transmittal of the data;
– Treatment
– Due diligence disclosures in connection with the sale
or transfer of assets of a potential successor in
interest
– Disclosures to the BA
– Access by the individual subject of the PHI
– As otherwise determined by DHHS
Section 13405(d): Prohibition on the
Sale of EHRs or PHI
• Regulations were to be published by
August 17, 2010 . . . Stay tuned.
• Upshot? Review vendor contracts to be
sure that appropriate BA language is
part of the agreement.
Section 13405(e): Access to Certain
Information in Electronic Format
• In applying the Privacy Standards access provisions
(45 C.F.R. §164.524), an individual has the right to
obtain information in electronic format and direct
the CE to provide it directly to an entity or person
identified by the individual, provided the choice is
clear, conspicuous and specific.
• Any fee charged by the CE for such access cannot be
greater than the CE’s actual labor cost.
• NPRM implements this provision.
• Upshot?
– Update your Access policy/procedure to
implement – work through issues related to how
you will allow such access in a manner consistent
with your security policies/procedures.
– Update your Notice of Privacy Practices.
– Note: Meaningful Use provisions require that
access is provided within 3 days!
Section 13406(a): Conditions on Certain
Contacts as Part of HCO: Marketing
• Generally, a communication by a CE or BA that is
about a product or service and that encourages
recipients of the communication to purchase or
use the product or service [shall not be
considered a health care operation (“HCO”)][is
marketing and prohibited unless you obtain an
authorization] unless the communication is made:
– that describes health-related products or
services provided by the CE making the
communication;
– for the treatment of a patient; or
– for case management or care coordination of a
patient, or to direct or recommend alternative
treatments, health care providers or settings
of care to the patient.
Section 13406(a): Conditions on Certain Contacts
as Part of HCO: Marketing
• If the CE receives payment in exchange for any of those
communications, then the communication is not a HCO
(authorization required) except where:
– Such communication describes only a drug or biologic
that is currently being prescribed for the recipient of
the communication and any direct or indirect payment
received by such CE (not for treatment) in exchange for
making a communication is reasonable in amount; &
– Where each of the following conditions apply:
• The communication is made by the CE; and
• The CE making the communication obtains from the
recipient of the communication a valid HIPAA
authorization; Or
– Where each of the following conditions apply:
• The communication is made by a BA on behalf of a
CE; and
• The communication is consistent with the written
agreement between the BA and CE.
Section 13406(a): Conditions on Certain
Contacts as Part of HCO: Marketing
• Reasonable: DHHS to define by
regulation.
• Direct or Indirect payment: Does not
include any payment for treatment
as defined in 45 C.F.R. §164.501.
• NPRM proposing significant changes
in this provision to simplify . . .
Marketing and the July 14, 2010 NPRM
• Revisions to better distinguish the exception for
treatment communication form those communications
made for health care operations;
• Add a definition for “financial remuneration;”
• Health care operations communications for which
financial remuneration is received are marketing and
require authorization;
• Written treatment communications for which financial
remuneration is received are subject certain notice and
opt out requirements (include in the NPP);
• Provide a limited exception for refill reminders; and
etc.
• Upshot?
– Review your marketing activities and update your
HIPAA marketing policies/procedures.
• Too confusing!!! Stay tuned.
Section 13406(b): Conditions on Certain
Contacts as Part of Health Care Operations:
Opt out of Fundraising
• Any written fundraising request shall include, in
a clear and conspicuous manner, an opportunity
for the individual to elect to opt out of
receiving future fundraising communications.
• Such election shall be treated as a revocation
of a HIPAA authorization.
• NPRM implements this provision.
• Upshot?
– Review your fundraising communications to assure
that all communications include opt out language.
– Monitor compliance with patients who do opt out.
Section 13408: BA Contract
Required for Certain Entities
• Requires the following entities to enter into
a BAA with the CE:
–
–
–
–
Health Information Exchange Organizations;
Regional Health Information Organizations;
E-prescribing Gateway; and
Each vendor that contracts with a CE to allow the
CE to offer a PHR to patients as part of its EHR.
• Upshot: If you disclose PHI to HIEOs, RHIOs,
or an E-prescribing Gateway, be sure to
enter into a BAA with the entity.
Section 13409: Clarification of Application of
Wrongful Disclosures Criminal Penalties
• Amends 42 U.S.C. §1320d-6(a) to
make it clear that the criminal
penalties apply to employees and
other individuals.
Section 13410(a) & (b):
Improved Enforcement
• Section 13410(a) Significantly revises 42 U.S.C.
§1320d-5 to include non-compliance due to
willful neglect and requires DHHS to investigate
if a complaint indicates a violation due to
willful neglect.
• Section 13410(b)
– Makes 13410(a) changes effective 24 months from
the date HITECH published.
– DHHS required to promulgate regulations to
implement this provision within 18 months of the
publication of HITECH – not published yet.
Section 13410(c): Improved
Enforcement
• Distribution of Civil Money Penalties
(“CMPs”):
– $$ go to the Office for Civil Rights to be
used for enforcement purposes.
- Harmed individuals may share in civil
monetary penalties. Within three years a
mechanism for collection will be
developed.
Section 13410(d): Improved
Enforcement
• Tiered increase in CMPs:
– (a) $100 for each violation, the total not to
exceed $25,000 for identical violations during a
calendar year;
– (b) $ 1,000 for each violation, the total not to
exceed $100,000 for identical violations during a
calendar year;
– (c) $ 10,000 for each violation, the total not to
exceed $250,000 for identical violations during a
calendar year; and
– (d) $ 50,000 for each violation, the total not to
exceed $1,500,000 for identical violations during
a calendar year.
Section 13410(d): Improved
Enforcement
• Application of tiers:
– A violation where the person did not know and by
exercising due diligence would not have known,
the penalty will be not less than (a) but not more
than (d).
– A violation due to reasonable cause, but not
willful neglect, the penalty will be not less than
(b) but not more than (d).
– A violation due to willful neglect:
• If corrected, the penalty will be not less than (c) but
not more than (d);
• If not corrected, the penalty will be not less than (d).
Interim Final Enforcement Rule
• Published October 30, 2009 and can be found at
http://www.hhs.gov/ocr/privacy/hipaa/administrative
/enforcementrule/enfifr.pdf
• Definitions:
– Reasonable cause means circumstances that would
make it unreasonable for the covered entity, despite
the exercise of ordinary business care and prudence,
to comply with the administrative simplification
provision violated.
– Reasonable diligence means the business care and
prudence expected from a person seeking to satisfy
a legal requirement under similar circumstances.
– Willful neglect means conscious, intentional failure
or reckless indifference to the obligation to comply
with the administrative simplification provision
violated.
July 14, 2010 NPRM Proposes
changes
• NPRM proposes a change in the definition of
reasonable cause to mean an act or omission
in which a covered entity or business
associate knew, or by exercising reasonable
diligence would have known, that the act or
omission violated an administrative
simplification provision, but in which the
covered entity or business associate did not
act with willful neglect.
• Other changes to strengthen and expand the
OCR’s ability to enforce the Privacy and
Security Standards.
Section 13410(e): Improved
Enforcement
• Enforcement by Attorneys General: In any case
in which the AG has reason to believe that an
interest of one or more of the residents of the
State has been threatened or adversely
affected by any person who violates a provision
of HIPAA, the AG may bring a civil action on
behalf of such residents to:
– Enjoin further such violations; or
– To obtain damages on behalf of such residents
calculated by multiplying the number of violations
by $100, the total not to exceed $25,000 for
identical violations during a calendar year.
• The court may award attorney fees.
Thought they were joking: Meet
Richard Blumenthal
• Blumenthal,
Connecticut’s Attorney
General, brought the
first suit under the
HITECH act.
• He brought suit
against Health Net
after they lost or had
stolen a disk that
contained personal
information of 1.5
million people.
… And He Won!
• Health Net spent over $7 million trying
to fix the data breach.
• Health Net settled for a $250,000 fine,
with a possibility of an additional
$500,000.
• Lesson: Encrypt!
HIPAA/HITECH
• Constant rapid changes in the law.
• Stay tuned for more changes as various
rules due to be published going
forward.
• Questions about HIPAA/HITECH????
Medicare & Medicaid Incentive
Program
• American Recovery and Reinvestment Act of
2009: Division B, Title IV –
Medicare/Medicaid Incentives
• Medicare & Medicaid EHR Incentive program
NPRM published January 13, 2010
• Final Rule published July 28, 2010
• Resource:
– https://www.cms.gov/EHRIncentivePrograms/
• Significant changes from the NPRM to the
final rule.
Glossary: More Terms
• CEHR: Certified Electronic Health Record: 42 C.F.R.
§§ 495.4
• CPOE: Computerized Physician Order Entry
• EH: Eligible Hospital: 42 C.F.R. §§ 495.4
• EHR: Electronic Health Record: 42 U.S.C.A.
§17921(5)
• EP: Eligible Provider: 42 C.F.R. §§ 495.4
• MU: Meaningful Use of certified EHR technology: 42
C.F.R. §§ 495.4
• ONC: Office of the National Coordinator of Health
Information Technology: 42 U.S.C.A. §300jj-11
Three General Requirements
• Requires the MU of Certified EHR
technology.
• Requires using Certified EHR
technology for the electronic exchange
of health information to improve
efficiency and the quality of care.
• Requires EHs and EPs to submit data on
clinical quality measures to CMS to
show MU.
Who is eligible to participate?
• Medicare fee for service
– EPs
• MD or DO
• DDS or DDM
• DPM (Podiatrist)
• Dr. of Optometry
– EHs
• Acute care hospitals
• Critical Access Hosptials (CAHs)
Who is eligible to participate?
• Medicare Advantage
– MA EPs:
• Must furnish, on average, at least 20 hours/week of
patient-care services and be employed by the qualifying
MA organization; or
• Must be employed by, or be a partner of, an entity that
through contract with the qualifying MA organization
furnishes as least 80% of the entity’s Medicare patient
care services to enrollees of the qualifying MA
organization.
– MA-Affiliated Eligible Hospitals: Will be paid
under the Medicare fee for service EHR incentive
program.
Who is eligible to participate?
• Medicaid
– EPs
• Physicians
• Nurse Practitioners
• Certified Nurse Midwives
• Dentists
• PAs working at a FQHC or RHC that is led by a
PA.
– EHs
Acute care hospitals (including CAHs)
Children’s hospitals
Who is eligible to participate?
• But, hospital-based EPs do not qualify.
– Hospital based EP: An EP performing
substantially all of their services in an inpatient
hospital setting or emergency room.
• EPs may participate in Medicare OR Medicaid
incentive programs, not both (may switch
one time before 2015).
• EHs may participate in both Medicare and
Medicaid incentive programs.
• SCDHHS published a bulletin January 11,
2011 concerning SC’s Medicaid incentive
program.
What is a Certified EHR?
• The ONC published the Health Information
Technology: Initial Set of Standards, Implementation
Specifications, and Certification Criteria for
Electronic Health Record Technology Final Rule on
July 28, 2010.
• The ONC published Health Information Technology:
Revisions to Initial Set of Standards, Implementation
Specifications, and Certification Criteria for
Electronic Health Record Technology on October 13,
2010.
• Anticipates certifying a complete EHR and EHR
Modules. 45 C.F.R. §§ 170.102 & 170.302.
• Tracks the MU objectives and adds certain security
related provisions. 45 C.F.R. §170.302.
• Has provisions for ambulatory and inpatient
settings. 45 C.F.R. §§ 170.304 & 170.306.
How are EHRs Certified?
• ONC published the Establishment of the
Temporary Certification Program for HIT on
June 24, 2010. (75 F.R. 36158-01). 45 C.F.R.
170.400, et. seq.; sunsets December 31,
2011.
• ONC published the Permanent Certification
program for HIT on January 7, 2011 (76 F.R.
1325). 45 C.F.R. 170.500, et. seq.
How are EHRs Certified?
• ONC authorized testing and certification bodies
(ONC-ATCBs):
– Certification Commission of Healthcare
Information Technology (“CCHIT”)
– Drummond Group, Inc.
– InfoGard Laboratories, Inc.
– Surescripts, LLC
– ICSA Labs
– SLI Global Solutions
• See the current listing of Certified EHR Technology
Vendors at: http://onc-chpl.force.com/ehrcert
What are the
objectives/measures?
• Core set of objectives:
– 15 for EPs;
– 14 for EHs.
• Menu set of objectives:
– 10 for EPs and EHs.
• EPs must meet 20 total.
• EHs must meet 19 total.
Exception for Medicaid EPs and
EHs
• If the EP or EH adopted (acquired and installed),
implemented (commenced utilization of) or
upgraded or expanded and used certified EHR
technology, then the EP or EH need not demonstrate
that it is a meaningful user until the second
payment year.
• Practice tip: If the EP received EHR software or
information technology and training services as a
donation under the Stark EHR donation
exception/Anti-kickback safe harbor, then the EP’s
Medicaid incentive payment may be affected:
– Because the Medicaid incentive is about
reimbursing the EP for adopting, implementing
and upgrading or expanding EHR technology.
Meaningful Use Objectives
• See the CMS comparison chart on the
following 9 slides:
– Provides a succinct summary of the objectives
and measures;
– Provides the comparison of the NPRM to final
rule.
• In addition, the following 17 slides were
copied or paraphrased from PowerPoint
presentations by CMS entitled “Medicare &
Medicaid EHR Incentive Program Final Rule,
Implementing the American Recovery &
Reinvestment Act of 2009.”
• Insert 9 slides here
Implementation
• Will be implemented in three stages:
– Stage 1 = 2011 and 2012
• EPs must meet 20 of 25 objectives
• EHs must meet 19 of 24 objectives
• Reporting period = 90 days first year and one year
subsequently.
– Stage 2 =
• Will be transitioned from Stage 1
• DHHS will re-evaluate measures
• Will include greater emphasis on HIE across institutional
boundaries
– Stage 3 = will be discussed in future rulemaking
Clinical Quality Measures
• 2011: EPs, EHs and CAHs
demonstrating MU are required to
submit aggregate CQM numerator,
denominator and exclusion data to CMS
or the States by attestation.
• 2012: EPs, EHs and CAHs demonstrating
MU are required to electronically
submit aggregate CQM numerator,
denominator, and exclusion data to
CMS or the States.
CQM: Eligible Professionals
• Core, Alternate Core, and Additional CQM
sets for EPs
• EPs must report on 3 required core CQM, and if
the denominator of 1 or more of the required
core measures is 0, then EPs are required to
report results for up to 3 alternate core
measures
• EPs also must select 3 additional CQM from a set
of 38 CQM (other than the core/alternate core
measures)
• In sum, EPs must report on 6 total measures: 3
required core measures (substituting alternate
core measures where necessary) and 3
85
additional measures
CQM: Core Set for EPs
NQF Measure Number & PQRI
Implementation Number
Clinical Quality Measure Title
NQF 0013
Hypertension: Blood Pressure
Measurement
NQF 0028
Preventive Care and Screening
Measure Pair: a) Tobacco Use
Assessment b) Tobacco Cessation
Intervention
NQF 0421
PQRI 128
Adult Weight Screening and Follow-up
86
CQM: Alternate Core Set for
EPs
NQF Measure Number & PQRI
Implementation Number
Clinical Quality Measure Title
NQF 0024
Weight Assessment and Counseling
for Children and Adolescents
NQF 0041
PQRI 110
Preventive Care and Screening:
Influenza Immunization for Patients
50 Years Old or Older
NQF 0038
Childhood Immunization Status
87
CQM: Additional Set for EPs
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Diabetes: Hemoglobin A1c Poor Control
Diabetes: Low Density Lipoprotein (LDL) Management and Control
Diabetes: Blood Pressure Management
Heart Failure (HF): Angiotensin-Converting Enzyme (ACE) Inhibitor or Angiotensin
Receptor Blocker (ARB) Therapy for Left Ventricular Systolic Dysfunction (LVSD)
Coronary Artery Disease (CAD): Beta-Blocker Therapy for CAD Patients with Prior
Myocardial Infarction (MI)
Pneumonia Vaccination Status for Older Adults
Breast Cancer Screening
Colorectal Cancer Screening
Coronary Artery Disease (CAD): Oral Antiplatelet Therapy Prescribed for Patients with
CAD
Heart Failure (HF): Beta-Blocker Therapy for Left Ventricular Systolic Dysfunction (LVSD)
Anti-depressant medication management: (a) Effective Acute Phase
Treatment,(b)Effective Continuation Phase Treatment
Primary Open Angle Glaucoma (POAG): Optic Nerve Evaluation
Diabetic Retinopathy: Documentation of Presence or Absence of Macular Edema and
Level of Severity of Retinopathy
Diabetic Retinopathy: Communication with the Physician Managing Ongoing Diabetes
Care
Asthma Pharmacologic Therapy
Asthma Assessment
Appropriate Testing for Children with Pharyngitis
Oncology Breast Cancer: Hormonal Therapy for Stage IC-IIIC Estrogen
Receptor/Progesterone Receptor (ER/PR) Positive Breast Cancer
Oncology Colon Cancer: Chemotherapy for Stage III Colon Cancer Patients
88
CQM: Additional Set for EPs,
cont’d
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
Prostate Cancer: Avoidance of Overuse of Bone Scan for Staging Low Risk Prostate
Cancer Patients
Smoking and Tobacco Use Cessation, Medical assistance: a) Advising Smokers and
Tobacco Users to Quit, b) Discussing Smoking and Tobacco Use Cessation
Medications, c) Discussing Smoking and Tobacco Use Cessation Strategies
Diabetes: Eye Exam
Diabetes: Urine Screening
Diabetes: Foot Exam
Coronary Artery Disease (CAD): Drug Therapy for Lowering LDL-Cholesterol
Heart Failure (HF): Warfarin Therapy Patients with Atrial Fibrillation
Ischemic Vascular Disease (IVD): Blood Pressure Management
Ischemic Vascular Disease (IVD): Use of Aspirin or Another Antithrombotic
Initiation and Engagement of Alcohol and Other Drug Dependence Treatment: a)
Initiation, b) Engagement
Prenatal Care: Screening for Human Immunodeficiency Virus (HIV)
Prenatal Care: Anti-D Immune Globulin
Controlling High Blood Pressure
Cervical Cancer Screening
Chlamydia Screening for Women
Use of Appropriate Medications for Asthma
Low Back Pain: Use of Imaging Studies
Ischemic Vascular Disease (IVD): Complete Lipid Panel and LDL Control
Diabetes: Hemoglobin A1c Control (<8.0%)
89
CQM: Eligible Hospitals and CAHs
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Emergency Department Throughput – admitted patients Median time
from ED arrival to ED departure for admitted patients
Emergency Department Throughput – admitted patients – Admission
decision time to ED departure time for admitted patients
Ischemic stroke – Discharge on anti-thrombotics
Ischemic stroke – Anticoagulation for A-fib/flutter
Ischemic stroke – Thrombolytic therapy for patients arriving within 2
hours of symptom onset
Ischemic or hemorrhagic stroke – Antithrombotic therapy by day 2
Ischemic stroke – Discharge on statins
Ischemic or hemorrhagic stroke – Stroke education
Ischemic or hemorrhagic stroke – Rehabilitation assessment
VTE prophylaxis within 24 hours of arrival
Intensive Care Unit VTE prophylaxis
Anticoagulation overlap therapy
Platelet monitoring on unfractionated heparin
VTE discharge instructions
Incidence of potentially preventable VTE
90
Incentive payments for EPs
• IF the EP begins in:
–
–
–
–
2011
2012
2013
2014
=
=
=
=
$44K
$44K
$39K
$24K
• If the EP (HPSA)
begins in:
–
–
–
–
2011
2012
2013
2014
=
=
=
=
$48.4K
$48.4K
$42.9K
$26.4K
Incentive payments for EPs
• If the Medicaid EP begins in:
–
–
–
–
–
–
2011 =
2012 =
2013 =
2014 =
2015 =
2016 =
$63,750
$63,750
$63,750
$63,750
$63,750
$63,750
Incentive payments for Hospitals
• No payments after 2016.
• Based on a formula:
– ($2Mil. Base + per discharge amount)(or if
> 23,000 discharges = $6,370,200) x
(Medicare/Medicaid share fraction)
– There is no maximum incentive amount
Incentive payments for CAHs
• The product of the reasonable costs
incurred for the purchase of certified
EHR technology and the CAH’s
Medicare share percentage.
Milestone Timeline
Medicare/Medicaid Economic
Incentives
• Questions?
Additional Legal Issues to Consider
with HIT Implementation
• Implementation of HIT requires increased
focus on privacy and security.
• Why we reviewed the “latest and greatest”
progress (or lack thereof) in the HITECH
privacy and security rules.
• Success with HIT implementation occurs only
with successful privacy and security
protections.
Additional Legal Issues to Consider
with HIT Implementation
• Review your policies/procedures for what is
included in your “Legal Medical Record” to assure
that the EHR product provides for legally required
content:
– Conditions of Participation
– Licensing Regulations
– Legally Required Reporting (ex: compliance with
quality initiatives)
– Documentation to support:
• Continuing care
• Billing and coding
• Legal defense
• Audit defense
– The Joint Commission requirements
Additional Legal Issues to Consider
with HIT Implementation
• Require ongoing representations &
warranties in agreements concerning
the legal compliance obligations.
Additional Legal Issues to Consider
with HIT Implementation
• Take care to accurately document:
– Watch out for software prompts that may cause the
provider to document a service that was not done.
– Watch “block and copy”
– These documentation issues:
• Create issues with patient safety in reliance on
records for the provision of continuing care
• Create issues with medical necessity
• May create issues of allegations of fraud and abuse:
– “[Reviewers] shall determine if patterns and/or
trends exist in the medical record which may
indicate potential fraud, waste or abuse” where
“medical records tend to have obvious or nearly
identical documentation . . .” CMS Pub. 100-8,
Medicare Integrity Manual, Section 4.3(C).
Additional Legal Issues to Consider
with HIT Implementation
• Be aware or record retention and destruction:
– Review your policies/procedures to determine if
they address both paper and EHRs.
• Be aware of E-Discovery Issues:
– Duty to preserve electronic evidence when you
become aware of the threat of litigation
• Know where your electronically stored
information resides:
– Servers
– Database files
– Word processing files
– PCs, Laptops, Desktops
– PDAs
– Imaging systems
– Other media: thumb drives, CDs, etc.
Additional Legal Issues to Consider
with HIT Implementation
• E-Discovery Continued:
– Understand that the stakes are high:
• Exclusion of evidence that may be helpful to your case.
• Major monetary sanctions
– Review policies/procedures for retention /
destruction in the litigation and governmental
investigation context.
– Review administrative policies/procedures and
legal compliance policies/procedures.
Additional Legal Issues to Consider
with HIT Implementation
– Be aware of Metadata, particularly as it pertains
to how, when and by whom an entry was
collected, created, accessed, or modified and
how it is formatted, including data demographics
as to size, location, storage requirements and
media information.
• Understand that metadata provides a vast
amount of information about documentation
which was not previously available.
• Be prepared to address issues raised with
metadata particularly in malpractice cases.
Additional Legal Issues to Consider
with HIT Implementation
• Be aware of liability caused by the application of
technology.
• E-Iatrogenesis*: patient harm caused, at least in
part, by the application of health information
technology.
–
*Weiner, J.P., et al, The Most Critical Unintended Consequence of COPE
and other HIT, J. Am. Med. Inform Ass’n, June 2007, at 14:387-388.
• See the AHRQ website for a summary of patient
safety issues with CPOE at
http://psnet.ahrq.gov/primer.aspx?primerID=6
Additional Legal Issues to Consider
with HIT Implementation
– e-Iatrogenic errors occur with CPOE in “four major
categories: (1) errors of commission, such as accessing the
wrong patient’s record or overwriting one patient’s
information with another’s; (2) errors of omission or
transmission, such as the loss or corruption of vital patient
data; (3) errors in data analysis, including medication
dosing errors of several orders of magnitude; and (4)
incompatibility between multi-vendor software applications
and systems, which can lead to any of the above.”*
–
*Jeffrey Shuren, Director of FDA’s Center for Devices and Radiological Health,
Testimony at the Health Information Technology Policy Committee
Adoption/Certification Workgroup, (February 25, 2010).
Additional Legal Issues to Consider
with HIT Implementation
• Any of these types of errors can result in a
negligence action against the hospital and
providers.
• Upshot:
– Discuss whether the vendor has addressed these
issues in the development of their product.
– Focus on education and training.
– Discuss with your general and professional
malpractice carrier.
Additional Legal Issues to Consider
with HIT Implementation
• Reference The Joint Commission
Sentinel Event Alert: December 11,
2008: Safely implementing health
information and converging
technologies
• http://www.jointcommission.org/asset
s/1/18/SEA_42.PDF
PRACTICAL TIPS FOR EHR
SYSTEM CONTRACTING
Mark L. Bender
Steps in the Process
• Gap Analysis-Understand
existing capabilities and
new capabilities needed
• Negotiate Contract
• Requirements Specifications
• Implementation
• Request for Proposal
• Go Live
• Vendor Selection
• Negotiate Financial Terms
• Sign Contract
Contracting Fundamentals
• A Contract is not a substitute for
choosing the right system and the right
vendor
• If it’s not in the contract, you won’t
get it
• If it’s not in writing, it’s not in the
contract
You need a lawyer
• IT personnel, accountants, and
consultants are NOT lawyers
• Get your lawyer involved early (not the
day before the contract must be
signed)
• Controlling legal costs:
• don’t use your lawyer for tasks that can be
performed just as well by an employee
• Get regular updates on project status and fees
Relationship of new system to
existing system
• Are you adding an EHR module to an existing
system of the same vendor?
• Interoperability issues
• interface issues
• who’s responsible for what
• Are you replacing an existing vendor?
• What are your contractual rights and obligations related
to your existing system?
• conversion/transition rights
• termination rights
The System is only as good as
the Training...
• Get the details of the vendor’s training
program:
–
–
–
–
–
–
curriculum and course materials
modalities (classroom-based versus Web-based)
Where and when available
Number of trainees per class
Testing to measure effectiveness
Right to re-take a course if passing grade not
attained
– Availability of refresher courses
Should I buy or should I rent?
• Traditional licensing model
• Application Service Provider (ASP)
model
• Software as a Service (SaaS) model
The System is only as good as
the implementation
Have a plan:
• Implementing a system without an
implementation plan is like heading into the
Outback without a map, GPS, and compass.
• An implementation plan without milestones
is like a battle plan without objectives
• Milestones without penalties are guns
without bullets
Deal Structural Models
• Traditional software license
• ASP/SaaS
• cost predictability
• less upfront investment, but may be more
expensive over time
• security concerns
• data backups and access
Contract Structure
One or more agreements covering:
• Hardware purchase (if any)
• Software license
• Hardware maintenance and support (if
applicable)
• Software maintenance and support
• Hosting (if applicable)
• Implementation services (if applicable)
Software License Terms
• Authorized Entities – what entities in a
corporate group are covered by the
license?
• are new additions to corporate group covered?
• Authorized Users - who; how many;
impact on license fees
• Assignability
• Other use restrictions
Software Maintenance and
Support
• Maintenance – what updates are free,
what updates are billable
• Support – how delivered, response
times; bug handling
• Service level commitments and credits
Hosting (if applicable)
•
•
•
•
•
uptime
security
backups
data ownership
service level commitments and credits
Other Contract
Topics/Provisions
• Implementation services (e.g.
requirements specification;
customization; data conversion):
• need plan; assign responsibilities; need
timeline and milestones; tie payments
to milestone achievement; agree upon
testing and acceptance)
Other Contract Topics/Provisions
continued
Warranties:
• HITECH certification warranty - Office of the
National Coordinator for Health Information
Technology (ONC) sets the rules; the rules are
applied by an Authorized Testing and Certification
Body (ATCB) to certify EHR systems and modules;
Certification Commission for Health Information
Technology (CCHIT) is an ATCB
• “Meaningful use” functionality warranty
• HIPAA compliance warranty
• Be sure the foregoing warranties include the
obligation to stay current; no lapses permitted
• non-infringement warranty
Dispute resolution:
• arbitration versus litigation
• governing law
• place of adjudication
Assignability
Liability Limitations
Disaster Recovery
Force Majeure
QUESTIONS???
Download