Hot Off the Feds’ Press: The Latest HIPAA and HITECH Act Developments

Summer Issue 2010Newsletters Staying Well Within the Law

It's been a busy summer for regulation of electronic health records and health privacy. Proposed and final regulations provided guidance on such hot topics as who is covered by HIPAA privacy and security rules; who is a business associate; what will qualify as "meaningful use" of EHR for the HITECH subsidies; and what documents need to be updated. The following is a short summary of the latest changes in this volatile environment. For current updates, please visit our HIPAA, HITECH and HIT blog.

"Meaningful Use" Final Rule

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), federal incentive payments will be available to doctors and hospitals when they adopt EHRs and demonstrate use in ways that can improve quality, safety and effectiveness of care. Eligible professionals can receive as much as $44,000 over a five-year period through Medicare. For Medicaid, eligible professionals can receive as much as $63,750 over six years. Medicaid providers can receive their first year's incentive payment for adopting, implementing and upgrading certified EHR technology but must demonstrate meaningful use in subsequent years in order to qualify for additional payments. The amount a hospital receives in EHR incentive payments is calculated based on the hospital's Medicare and Medicaid patient volume, calculated as a fraction of the hospital's total patient volume.

On July 13, 2010, the Department of Health and Human Services (HHS) released a pair of final regulations (one from CMS, one from the Office of National Coordinator for HIT) detailing the "meaningful use" criteria that will determine whether users of electronic health records will qualify for the government subsidies under the HITECH Act during the first two years of the program (2011-2012). The final rule modified the agency's January 16, 2010, proposed rule and addressed issues raised in the more than 2,000 comments submitted.

The agency responded to the numerous complaints that its earlier, all-or-nothing approach mandating 25 objectives (23 for hospitals) was unrealistic. Instead, the final proposal requires 15 "core" objectives and a menu of additional objectives EHR users can choose from to qualify for the financial help.

The 15 core objectives and the measurements used to determine if they have been met are as follows:



1. Record patient demographics (sex, race, ethnicity, date of birth, preferred language and, in the case of hospitals, date and preliminary cause of death in the event of mortality).

More than 50% of patients' demographic data recorded as structured data.

2. Record vital signs and chart changes (height, weight, blood pressure, bodymass index, growth charts for children).

More than 50% of patients two years of age or older have height, weight and blood pressure recorded as structured data.

3. Maintain up-to-date problem list of current and active diagnoses.

More than 80% of patients have at least one entry recorded as structured data.

4. Maintain active medication list.

More than 80% of patients have at least one entry recorded as structured data.

5. Maintain active medication allergy.

More than 80% of patients have at least one entry recorded as structured data.

6. Record smoking status for patients 13 years of age or older.

More than 50% of patients 13 years of age or older have smoking status recorded as structured data.

7. For individual professionals, provide patients with clinical summaries for each office visit. For hospitals, provide an electronic copy of hospital discharge instructions on request.

Clinical summaries provided to patients for more than 50% of all office visits within three business days. More than 50% of all patients who are discharged from the inpatient department or emergency department of an eligible hospital or critical access hospital and who request an electronic copy of their discharge instructions are provided with it.

8. On request, provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies and, for hospitals, discharge summary and procedures).

More than 50% of requesting patients receive electronic copy within three business days.

9. Generate and transmit permissible prescriptions electronically (does not apply to hospitals).

More than 40% are transmitted electronically using certified EHR technology.

10. Computer provider order entry (CPOE) for medication orders.

More than 30% of patients with at least one medication in their medication list have at least one medication ordered through CPOE.

11. Implement drug–drug and drug–allergy interaction checks.

Functionality is enabled for these checks for the entire reporting period.

12. Implement capability to electronically exchange key clinical information among providers and patient-authorized entities.

Perform at least one test of EHR's capacity to electronically exchange information.

13. Implement one clinical decision support rule and ability to track compliance with the rule.

One clinical decision support rule implemented.

14. Implement systems to protect privacy and security of patient data in the EHR.

Conduct or review a security risk analysis, implement security updates as necessary, and correct identified security deficiencies.

15. Report clinical quality measures to CMS or states.

For 2011, provide aggregate numerator and denominator through attestation.
For 2012, electronically submit measures.

The "menu" from which an additional five objectives may be selected, and the criteria for meeting those objectives, are as follows:



1. Implement drug formulary checks.

Drug formulary check system is implemented and has access to at least one internal or external drug formulary for the entire reporting period.

2. Incorporate clinical laboratory test results into EHRs as structured data.

More than 40% of clinical laboratory test results whose results are in positive/negative or numerical format are incorporated into EHRs as structured data.

3. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research or outreach.

Generate at least one listing of patients with a specific condition.

4. Use EHR technology to identify patient-specific education resources and provide those to the patient as appropriate.

More than 10% of patients are provided patient-specific education resources.

5. Perform medication reconciliation between care settings.

Medication reconciliation is performed for more than 50% of transitions of care.

6. Provide summary of care record for patients referred or transitioned to another provider or setting.

Summary of care record is provided for more than 50% of patient transitions or referrals.

7. Submit electronic immunization data to immunization registries or immunization information systems.

Perform at least one test of data submission and follow-up submission (where registries can accept electronic submissions).

8. Submit electronic syndromic surveillance data to public health agencies.

Perform at least one test of data submission and follow-up submission (where public health agencies can accept electronic data).

Additional Choices for Hospitals and Critical Access Hospitals:

9. Record advance directives for patients 65 years of age or older.

More than 50% of patients 65 years of age or older have an indication of an advance directive status recorded.

10. Submit electronic data on reportable laboratory results to public health agencies.

Perform at least one test of data submission and follow-up submission (where public health agencies can accept electronic data).

Additional Choices for Eligible Professionals:

9. Send reminders to patients (per patient preference) for preventive and follow-up care.

More than 20% or patients 65 years of age or older or 5 years of age or younger are sent appropriate reminders.

10. Provide patients with timely electronic access to their health information (including laboratory results, problem list, medication lists, medication allergies).

More than 10% of patients are provided electronic access to information within four days of its being updated in the EHR.

A rollout article in the New England Journal of Medicine was written by HHS's David Blumenthal, M.D., M.P.P., national coordinator for HIT, and Marilyn Tavenner, R.N., M.H.A., principal deputy administrator of CMS, both of whom participated in the development of the final rule. They noted the core objectives include the tasks essential to creating any medical record, including the entry of basic data: patients' vital signs and demographics, active medications and allergies, up-to-date problem lists of current and active diagnoses and smoking status, as well as using several software applications that begin to realize the true potential of EHRs to improve the safety, quality and efficiency of care, help clinicians to make better clinical decisions and avoid preventable errors.

What To Do Now?

Software and EHR systems developers are scrambling to ensure their products will meet the meaningful use standards by 2011. Practices and facilities that desire to take advantage of the federal funding should start shopping early and ask potential vendors to address in writing exactly how their products can satisfy each of the criteria in the new standards.

Hospitals face an additional issue: They must be careful in how they report charity care on their Medicare cost reports if they want to maximize their incentive payments for using EHR. The amount a hospital receives in EHR incentive payments is calculated based on the hospital's Medicare and Medicaid patient volume, calculated as a fraction of the hospital's total patient volume. The rule proposal failed to define key terms that are part of the calculation of the fractional share of the hospital's Medicare and Medicaid patient volume, including the term "charity care." The proposed final rule looks to the charity care amount reported in the hospital's Medicare cost report, despite the fact this reported number likely did not have a significant impact on the hospital's Medicare reimbursement in the past. Any hospital seeking EHR incentive payments must closely examine not just the accuracy of reported charity care and non-Medicare bad debt data included on its Medicare cost report, but must ensure it is actually undertaking a review of patients' ability to pay for services. Failure to document the proportion of uncompensated care that qualifies as "charity care" may result in a decrease in EHR incentive dollars.

Proposed HITECH Rule

On July 8, 2010, HHS announced proposed modifications to the HIPAA Privacy & Security Rules implementing the HITECH Act. The proposed modifications include new requirements on business associates with regard to their subcontractors.

The HITECH statute itself imposed direct HIPAA compliance obligations and liability on business associates. The proposed rule goes one step further and would include in the definition of "business associate" in §160.103 subcontractors that create, receive, maintain or transmit protected health information on behalf of a business associate. OCR specifies it does not intend this proposed modification to mean a covered entity is required to have a contract with the subcontractor. Rather, the "obligation is to remain with the business associate that contracts with the subcontractor." OCR proposes "to make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information."

The proposed rule casts business associates into a much more active role, requiring them to enter into business associate agreements (BAAs) with their subcontractors. In effect, business associates would be expected to act as though they are covered entities in terms of identifying when protected health information (PHI) is transmitted to third parties and policing the privacy and security of PHI whenever it flows downstream or outside the business associate workforce.

Because a covered entity with which a business associate has contracted still has an ultimate responsibility for the privacy and security of the PHI of its patients or clients, existing BAAs may require further review and amendments to protect the covered entity sufficiently should this rule be adopted.

The proposed rule expands individuals' rights to access their information and to restrict certain types of disclosures of PHI to health plans. It also sets new limitations on the use and disclosure of PHI for marketing and fund-raising and prohibits the sale of PHI without patient authorization.

Final Breach Rule Withdrawn, Interim Rule Remains in Effect

In an unexpected development, HHS withdrew its forthcoming Final Breach Notification Rule, which was pending review by the Office of Management and Budget, on July 28, 2010. In a brief announcement, HHS stated the delay was intended to allow for further consideration, given the Department's experience to date in administering the regulations. They stated, "This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months."

Some privacy advocates have been lobbying HHS over the rule's "harm standard," which states that health care organizations only have to report HIPAA privacy and security breaches to OCR if the covered entity determined the breach caused direct harm to the affected patients. Such advocates believed this rule gave too much discretion to the covered entities themselves.

In the meantime, the Interim Final Rule for Breach Notification for Unsecured Protected Health Information, effective September 23, 2009, remains in effect. This rule requires HIPAA covered entities to promptly notify affected individuals of a breach. Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. These notices must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. If a breach affects 500 or more individuals, covered entities must notify the Secretary of HHS without unreasonable delay and in no case later than 60 days following a breach. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

If You Experience a Breach...

  • First, document when and how the breach was discovered. This date starts the compliance clock ticking. Remember, notice must be given as soon as possible, so do not wait until the 59th day.
  • Next, determine whose records were compromised, how the breach occurred and what information was improperly accessed or disclosed.
  • Determine what notices need to be given, to whom, in what form and including what details.
  • Establish a plan for making the required notices and implement it. Follow up with appropriate mitigation efforts.
  • Consider providing additional protection to the affected individuals. While optional, many organizations have chosen to offer prepaid identity monitoring, protection and remediation services via third-party vendors as a goodwill gesture and to soften the public relations fallout.

At each step of the process, consultation with experienced health care counsel will help you understand and meet your obligations under the law and minimize the consequences of the breach.

Thanks to Elizabeth Litten , whose work contributed to this article.

For more information about this topic, please contact William H. Maruca at 412.394.5575 or [email protected].