Articles Posted in HIPAA

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) published a request for information (RFI) on the Health Information Technology for Economic and Clinical Health (HITECH) Act’s expansion of an individual’s right to receive an accounting of disclosures under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Pursuant to the HITECH Act, covered entities will soon be required to account for disclosures of protected health information (PHI) made for treatment, payment, and healthcare operations if the entity utilizes an electronic health record (EHR) system. This is a significant change from current guidance, by which covered entities are not required to provide an accounting of any disclosures made for purposes of treatment, payment, or healthcare operations. As the OCR prepares to develop specific regulations, it has issued the RFI to pose specific questions to and request comments from covered entities, EHR system vendors, and individual and consumer advocates regarding the new requirement.

Specific questions posed to covered entities include: (1) How do covered entities inform individuals of their rights to an accounting of disclosures? (2) How many accounting of disclosures requests a covered entity has received? (3) Whether a covered entity uses a single EHR system and whether that system creates an automatic accounting of disclosures, or whether there is a separate system to generate this information? and (4) Whether the HITECH Act’s requirement that covered entities that acquire EHR systems after January 1, 2009 account for disclosures for treatment, payment, and healthcare operations by January 1, 2011 is a feasible deadline, and, if not, how long it would take a covered entity to install a feature to track these disclosures?

Other requests for comments are directed at individuals, consumer advocates, and EHR system vendors. The questions directed at individuals and consumer advocates inquire into the benefits of an accounting of disclosures, whether individuals are aware of their right to receive an accounting of disclosures, and whether an individual was provided requested information. The RFI also requested information from EHR system vendors as to whether the EHR system is able to distinguish between PHI “uses” and “disclosures” and as to the additional burdens that would be imposed on the EHR system to account for disclosures for treatment, payment, and healthcare operations and the feasibility of an EHR module to account for these disclosures.

The first defendant to receive a prison sentence for a HIPAA privacy violation was sentenced to four months in prison after admitting to illegally accessing protected health information contained in electronic medical records of celebrities and others. The defendant, a former UCLA Health System surgeon, pleaded guilty in January to four misdemeanor counts of violating the HIPAA privacy rule. The incidences occurred in 2003 when the surgeon accessed and read the medical records of his immediate supervisor, other co-workers, and celebrities who had visited the health system after receiving notice that he was being dismissed from his job. He illegally accessed patient records 323 times over a 3 week period.

For more information on HIPAA privacy and security rules, please visit www.wachler.com or contact a Wachler & Associates attorney at 248-544-0888.

On April 15 a bipartisan bill, the Health Information Technology Extension for Behavioral Health Services Act of 2010, was introduced in the House. The bill extends the Health Information Technology for Economic and Clinical Health (HITECH) Act’s electronic health records incentives to mental health professionals. Currently the HITECH Act provides incentives for qualifying healthcare professionals to demonstrate a “meaningfuluse” of electronic health records. However, the HITECH Act did not expand this incentive to mental health professionals. The proposed legislation would extend the incentives by ensuring the eligibility of certain behavioral and mental health professionals, psychiatric hospitals, behavioral and mental health treatment facilities, and substance abuse treatment facilities.

One supporter of the legislation, Congressman Tim Murphy(R-PA) reemphasized the importance of electronic health records for promoting quality health care. “To best diagnose and treat patients, mental health professionals need complete, up-to-date medical histories…Electronic health records ensure that physicians and mental health professionals are working together and delivering the best possible treatments.”

For more information on health law issues, please visit www.wachler.com or contact a Wachler & Associates attorney at 248-544-0888.

Kathleen Sebelius, Secretary of the U.S. Department of Health and Human Services (HHS), announced $162 million in awards created to help states advance the meaningful use of health IT through state health information exchange. The awards are part of a $2 billion effort, funded by the American Recovery and Reinvestment Act of 2009, to advance health IT and achieve the use of electronic health records for every citizen by 2014.

In the HHS press release, Secretary Sebelius stressed the importance of these investments to “unleash the power of health information technology to cut costs, eliminate paperwork, and help doctors deliver high-quality, coordinated care to patients.” Secretary Sebelius also emphasized the critical role that states play in securing the exchange of electronic health records between providers and hospitals. A fully developed health information exchange serves as a stepping stone to enable eligible healthcare providers to receive incentive payments under the Medicare and Medicaid for the meaningful use of health IT.

The $162 million in awards will be given to 16 states and state designated entities (SDEs) to assist non-proprietary health information exchange. After this most recent award, all states have now been awarded funds to begin to advance the meaningful use of health IT and facilitate state health information exchange.

The American Hospital Association (AHA) submitted comments to CMS on the proposed definition of “meaningful use” of Electronic Health Records (EHR). The Health Information Technology for Economic Clinical Health (HITECH) Act contains an EHR Incentive Program. That program is designed to encourage eligible providers to make “meaningful use” of EHR technology. The proposed rule defines “meaningful EHR user” as an eligible professional or eligible hospital that, during the specified reporting period, demonstrates meaningful use of certified EHR technology in a form and manner consistent with the certain objectives and measures presented in the regulation. Some of the objectives include: EHR technology to improve the quality, safety, and efficiency of health care delivery and ensures adequate privacy and security protections for personal health information.

In its comments on the proposed rule, AHA believed that CMS’s definition for “meaningful use” set too high of a standard and that very few eligible hospitals would be able to meet that standard. For instance, AHA expressed concern that CMS’s method for determining eligibility would create a larger division between small and large hospitals in that there is already research suggesting that larger hospitals are better prepared to meet the meaningful use objectives.

AHA also recommended that CMS loosen its timeline for EHR implementation, including allowing hospitals to meet the meaningful use definition if they meet 25% of the objectives in 2011 or 2012.

The Notice of Proposed Rulemaking (NPRM) was issued in order to establish programs by which health IT technologies will be tested and certified. Such programs were mandated by the HITECH Act, which provides incentive payments to providers who demonstrate meaningful use of certified electronic health record (EHR) technologies. Companion regulations have also been introduced which propose standards and criteria that will be necessary to demonstrate meaningful use and which propose the functional capabilities that EHR technologies must have in order to be eligible for certification.

The NPRM proposes a temporary certification program for EHR systems and modules, and lays the foundation for a permanent program that will eventually replace the temporary program. The temporary program is designed to ensure that certified technologies are in place so that providers may take advantage of the incentive payments at the earliest opportunity before the permanent program has been fully implemented.

The NPRM comes after the initial meaningful use NPRM and the Standards & Certification Interim Final Rule (IFR), published in January 2010. The Standards & Certification IFR establishes an initial set of standards, implementation specifications, and certification criteria for Complete Electronic Health Records (EHR) and EHR Modues for aodption by the HHS Secretary. The Certification Programs NPRM and the Standards & Certification IFR will operate jointly to create confidence in the security and effectiveness of electronic health IT produces and systems.

Connecticut Attorney General Richard Blumenthal filed suit against Health Net of Connecticut, Inc. for its alleged failure to secure private medical and financial information involving 446,000 Connecticut enrollees.

The Health Information Technology for Economic and Clinical Health (HITECH) Act authorizes state attorneys general to bring actions on behalf of the public in order to enforce HIPAA. The Connecticut Attorney General’s case against Health Net is the first action by a state attorney general brought pursuant to this authority.

The case alleges that Health Net exposed protected health information and other personal information and failed to promptly notify appropriate authorities of the incident. The information had been saved on a portable computer disk drive, but, despite Health Net’s policies and procedures, had not been encrypted. The computer disk, which contained approximately 27.7 million scanned pages of hundreds of different types of documents, had been missing for approximately six months before Health Net took steps to notify the Attorney General and affected individuals.