HITECH

With the passage of the American Recovery and Reinvestment Act of 2009, certain standards governing electronic health care transactions under HIPAA have been recently strengthened and fine-tuned under the Health Information Technology for Economic and Clinical Health Act (HITECH). Seeking to tighten the rules of accountability for the sharing of a patient’s medical information, HITECH will undoubtedly have a dramatic effect on the ways in which medical files are shared in the years to come.

Under HIPAA, a covered entity was able to disclose PHI to a business associate without a patient's authorization if the business associate provided the covered entity with satisfactory assurance that it would appropriately safeguard the information. These assurances were to be documented in a written contract often referred to as a business associate agreement (BAA) that met certain regulatory requirements. Prior to HITECH, although a covered entity was required to impose certain requirements on its business associates via contract, business associates were not regulated directly by the Department of Health and Human Services (HHS) or its Office of Civil Rights (OCR).

But HITECH has changed these rules. With an eye toward expanding liability, HITECH makes most of the HIPAA Security Rule requirements directly applicable to business associates as well, including direct regulation by the OCR and enhanced penalties for HIPAA violations. Among other things, by February 17, 2010, HITECH will require a business associate to:

• Implement reasonable and appropriate written policies and procedures
• Develop a system for identifying breaches and notify covered entities following discovery of a breach of unsecured PHI
• Mitigate any harms from the inappropriate use or disclosure of PHI
• Train its workforce
• Develop a sanctions policy
• Establish safeguards
• Develop and implement a complaint system

 Adjustments to Meaningful Use Criteria

On January 13th, the Centers for Medicare and Medicaid Services (CMS) proposed the adoption of a more specific definition of what is to constitute “meaningful use” of electronic health records (EHRs), while also implementing financial incentive programs through Medicare and Medicaid that would reward or penalize hospitals and physicians for instituting certified EHRs within an established time frame. Such a proposal draws on the strength of the newly passed HITECH Act, which requires the Secretary of the Department of Health and Human Services to establish such a definition.

CMS proposes that hospitals adopt this new ruling on “meaningful use” in three stages of increasingly technological sophistication. Although most hospitals will only need to meet Stage One requirements for a 90 day contiguous period during the first year to receive incentive payments, they will in future need to continue to enhance their EHR capability in order to continue to receive incentive payments and avoid penalties beginning in 2015.

Stage One “meaningful use” criteria focuses on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes; implementing clinical decision support tools to facilitate disease and medication management, consistent with other provisions of Medicare and Medicaid law; and reporting clinical quality measures and public health information.

Stage Two will encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results such as blood tests, microbiology, urinalysis, pathology tests, radiology, cardiac imaging, nuclear medicine tests, pulmonary function tests and other such data needed to diagnose and treat disease.

Stage Three will focus on promoting improvements in quality, safety and efficiency, as well as decision support for national high-priority conditions, patient access to self-management tools, access to comprehensive patient data and improving population health.

 Medical Identity Theft on the Rise

Sadly, the protection of medical records is not only essential when dealing with those who intend to use a patient’s information for business purposes. All too often, breaches in privacy strike a much more personal note.

Recent reports indicate a rise in medical identity theft, in which thieves obtain stolen social security numbers, names, and insurance information to seek treatment under a false identity. I need not remind you that the dangers of such actions go far beyond their effect on a patient’s wallet, as these thefts also put patients in physical jeopardy when inaccurate information, such as blood type, patient history and allergies, makes its way into their health records.

I urge you all to remain vigilant in your attempts to keep Coast Plaza Hospital free from incidents of medical identity theft.

Many thanks to Steven K. Phillips, Esq. for his astute assessment of HITECH.