hitech act


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

hitech act

  1. 1. The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) Nationwide health information technology (“HIT”) infrastructure that supports electronic health records and health information exchanges M. Peter Adler, Pepper Hamilton LLP
  2. 2. Three Parts of the HITECH Act <ul><ul><li>Create standards, implementation specifications and certification criteria for H I T I n f r a s t r u c t u r e interoperability; </li></ul></ul><ul><ul><li>Implement the HIT Infrastructure and electronic health records (“EHRs”) through grants, loan funds, incentive programs, and information sharing; and </li></ul></ul><ul><ul><li>encourage the use of the H I T I n f r a s t r u c t u r e by improving information privacy and security. </li></ul></ul>
  3. 3. Standards, Implementation Specifications and Certification Criteria Promoting H I T I n f r a s t r u c t u r e interoperability
  4. 4. Key Players: ONCHIT <ul><li>HHS </li></ul><ul><ul><li>Codifies Office of the National Coordinator for Health Information Technology (“ONCHIT” or the “National Coordinator”) </li></ul></ul><ul><ul><ul><li>utilization of certified EHRs for every person in the United States by 2014 </li></ul></ul></ul><ul><ul><ul><li>Create a framework for exchanging ideas and obtaining participation from the public and individuals who are experts in the field of HIT. </li></ul></ul></ul><ul><ul><ul><li>National Institute of Standards and Technology (“NIST”) and other Federal agencies for technical guidance </li></ul></ul></ul>
  5. 5. Key Players: HIT Policy Committee and HIT Standards Committee <ul><li>HIT Policy Committee: </li></ul><ul><ul><li>Recommends to ONCHIT a policy framework for the development, adoption, and use of a nationwide HIT infrastructure </li></ul></ul><ul><li>HIT Standards Committee </li></ul><ul><ul><li>Will oversee the development and pilot testing of standards, implementation specifications, and certification criteria for the HIT infrastructure and make recommendations on them to the National Coordinator. </li></ul></ul>American Health Information Community (AHIC)  National eHealth Collaborative (NeHC)  Policy/Standards Committees
  6. 6. Standards Setting <ul><li>Secretary proposes, within 90 days of receiving recommendations, whether or not to propose adoption of the measures </li></ul><ul><li>APA Rulemaking Procedures Apply </li></ul><ul><li>Law requires adoption of an initial set of standards and implementation specifications and certification criteria no later than December 31, 2009 </li></ul>
  7. 7. HIT Infrastructure and Electronic Health Records (“EHRs”) Implementation Grants, Loan Funds, Incentive Programs, and Information Sharing
  8. 8. Incentives, Grants Loans and Information Sharing
  9. 9. Medicare Incentives <ul><li>Medicare incentive payments to physicians and hospitals that are “meaningful EHR users, e.g., a physician (as defined under Medicare) that is not hospital-based, or a hospital that </li></ul><ul><ul><li>demonstrates the use of certified EHR technology in a meaningful manner, such as electronic prescribing; </li></ul></ul><ul><ul><li>demonstrates that use of EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of care; and </li></ul></ul><ul><ul><li>submits information on clinic quality measures to HHS using the EHR technology. </li></ul></ul><ul><li>Payments to Physicians can be up to $48,000.  Those that drag their feet (adopting in year 2015 or later) will end up with zero reimbursement, and may actually lose money, in the form of penalties from the Centers for Medicare and Medicaid Services (CMS). </li></ul>
  10. 10. Grants to States or Qualified State-Designated Entity (QSDE) <ul><li>QSDE </li></ul><ul><ul><li>is designated by the state is eligible to receive awards under this Act; that is, a not-for-profit entity with broad stakeholder representation on its governing board; </li></ul></ul><ul><ul><li>demonstrates that one of its principal goals is to use information technology to improve healthcare quality and efficiency through authorized and secure electronic exchange and use of health information; </li></ul></ul><ul><ul><li>adopts nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory participation by stakeholders; and </li></ul></ul><ul><ul><li>conforms to any other requirements established by the Secretary. </li></ul></ul>
  11. 11. Grant Activities <ul><li>Enhancing broad and varied participation in the authorized and secure nationwide electronic use and exchange of health information; </li></ul><ul><li>Identifying state or local resources available towards the nationwide effort to promote HIT; </li></ul><ul><li>Providing technical assistance to overcome barriers to the exchange of electronic health information; </li></ul><ul><li>Supporting public health agencies </li></ul><ul><li>Promoting effective strategies to adopt HIT in medically underserved communities; </li></ul><ul><li>Encouraging clinicians to work with Regional Centers; </li></ul><ul><li>Promoting EHRs for quality improvement; </li></ul><ul><li>Complementing other Federal grants, programs and efforts towards the promotion of HIT; Assisting patients in using HIT; </li></ul><ul><li>Other activities specified by the Secretary </li></ul>Matching: 2010 (0%), 2011 (10%), 2012 (14%), 2013 (33%)
  12. 12. Loan Fund <ul><li>“ Eligible entity&quot; is a state or Indian tribe that submits an application, a strategic plan </li></ul><ul><ul><li>a list of the projects to be assisted through the Loan Fund; </li></ul></ul><ul><ul><li>a description of the criteria and methods established for the distribution of funds from the Loan Fund; </li></ul></ul><ul><ul><li>a description of the financial status of the Loan Fund as of the date of the submission of the plan; and </li></ul></ul><ul><ul><li>the short-term and long-term goals of the Loan Fund. </li></ul></ul>
  13. 13. Loan Fund <ul><li>Loans may be used by a healthcare provider to </li></ul><ul><li>facilitate the purchase of certified EHR technology; </li></ul><ul><li>enhance the utilization of certified EHR technology (which may include costs associated with upgrading health information technology so that it meets criteria necessary to be a certified EHR technology); </li></ul><ul><li>train personnel in the use of such technology; or improve the secure electronic exchange of health information. </li></ul><ul><li>Matching: 20% of the amount from non-Federal contributions. </li></ul>
  14. 14. Federal Agencies - Contractors <ul><li>Required to adopt and use standards as they implement, acquire or upgrade </li></ul><ul><li>President is to ensure federal activities involving the collection and submission of health information are consistent with such standards within three years of their adoption </li></ul><ul><li>Application and use of adopted standards will be voluntary for private entities, but a private healthcare provider, health plan, or health insurance issuer that contracts with the Federal government to use HIT systems are required to meet the standards adopted by the Secretary </li></ul>
  15. 15. Extension Centers <ul><li>The Health Information Technology Research Center (“National Center”) will assist in the development and recognition of best practices to support and accelerate efforts to adopt, implement, and use HIT </li></ul><ul><li>Health Information Technology Regional Extension Centers (&quot;Regional Centers&quot;) will assist the National Center to disseminate information and provide healthcare providers with assistance with the implementation and use of HIT, including EHR </li></ul>
  16. 16. Encouraging the Use of the HIT Infrastructure Improving Information Privacy and Security
  17. 17. Improving Privacy and Security <ul><li>Clarification and expansion of the definition of a “business associate”; </li></ul><ul><li>Increased business associate legal obligations; </li></ul><ul><li>Notification for breaches involving protected health information (PHI); </li></ul><ul><li>Special provisions for vendors of personal health records and other non-HIPAA covered entities; and </li></ul><ul><li>Enhancement of enforcement, funding for enforcement and increased penalties. </li></ul>
  18. 18. Clarification and Expansion of “Business Associate Definition <ul><li>Definition of “business associate” includes: </li></ul><ul><ul><li>entities that provide data transmission services to a covered entity (or its business associate) if the service involves access to PHI on a routine basis, including: </li></ul></ul><ul><ul><ul><li>a health information exchange organization, </li></ul></ul></ul><ul><ul><ul><li>a regional health information organization, </li></ul></ul></ul><ul><ul><ul><li>an E-prescribing Gateway, or </li></ul></ul></ul><ul><ul><ul><li>any vendor that contracts with the covered entity to allow the covered entity to offer a personal health record (PHR) to patients. </li></ul></ul></ul>
  19. 19. Increased Business Associate Legal Obligations <ul><li>A business associates must comply with the same administrative, technical, and physical safeguards that a covered entity is required to comply with under the security rule. </li></ul><ul><li>Must also comply with the document requirements of the security rule (policies, procedures and other documents) </li></ul><ul><li>Business associates that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity </li></ul><ul><li>Each security and privacy requirement in the HITECH Act that is applicable to a covered entity is also applicable to a business associate and should be included in a business associate contract </li></ul>
  20. 20. Notification for Breaches of Protected Health Information (PHI) <ul><li>Applies to business associates and covered entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI. </li></ul><ul><li>A “breach of security” is an acquisition, access, use, or disclosure of unsecured PHI </li></ul><ul><li>Content and timing </li></ul><ul><li>Public/Private notification </li></ul>
  21. 21. EHR/PHR <ul><li>An “EHR” is an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff. </li></ul><ul><li>A “PHR” means an electronic record of “PHR identifiable health information” that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. </li></ul><ul><ul><li>PHR identifiable health information means individually identifiable health information: </li></ul></ul><ul><ul><ul><li>that is provided by or on behalf of the individual; and </li></ul></ul></ul><ul><ul><ul><li>that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. </li></ul></ul></ul>
  22. 22. Notice of Breach Involving PHR-Related Entities and Other Non-HIPAA Covered Entities <ul><li>Additional notice of breach provisions apply to “PHR-related entities” which are: </li></ul><ul><ul><li>(i) vendors of PHRs; </li></ul></ul><ul><ul><li>(ii) entities that offer products or services through the website of a vendor of PHRs; </li></ul></ul><ul><ul><li>(iii) entities that are not covered entities and that offer products or services through the website of covered entities that offer individual's personal health records; and </li></ul></ul><ul><ul><li>(iv) entities that are not covered entities that access information in PHRs or send information to a PHR. </li></ul></ul><ul><li>A “breach of security” is an acquisition of unsecured PHR identifiable health information of an individual in a PHR without the authorization of the individual. </li></ul>
  23. 23. Enhancement of Enforcement <ul><li>Wrongful disclosure of individually identifiable information only if: </li></ul><ul><ul><li>…a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization. </li></ul></ul>
  24. 24. Willful Neglect <ul><li>The HITECH Act includes civil investigation and action for noncompliance due to “willful neglect” </li></ul><ul><ul><li>A formal investigation will be commenced whenever a preliminary investigation of the facts identify that a possible violation is due to willful neglect </li></ul></ul>
  25. 25. Penalty Tiers Without Knowledge. When it is established a person did not know (and by exercising reasonable diligence would not have known) Reasonable Cause. When it is established that the violation was due to a reasonable cause and not to willful neglect Willful Neglect. When it is established that the violation was due to willful neglect <ul><li>$100 for each violation, except that the total amount imposed on a person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. </li></ul><ul><li>$1,000 for each violation, … may not exceed $100,000. </li></ul><ul><li>$10,000 for each such violation…may not exceed $250,000. </li></ul><ul><li>$50,000 for each such violation …may not exceed $1.5 million. </li></ul>
  26. 26. Enforcement Funding <ul><li>Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. </li></ul><ul><ul><li>This money will be used for enforcing and privacy and security provisions of HIPAA. </li></ul></ul><ul><li>The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish. </li></ul>
  27. 27. Enforcement By State AG <ul><li>Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. </li></ul><ul><ul><li>Damages will be statutorily imposed. </li></ul></ul><ul><ul><ul><li>The amount is calculated by multiplying the number of violations by up to $100. </li></ul></ul></ul><ul><ul><ul><li>The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not exceed $25,000. </li></ul></ul></ul><ul><ul><li>The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees. </li></ul></ul>
  28. 28. Other Provisions <ul><li>Restrictions on certain disclosures . Individuals will have the right to prohibit the disclosure of PHI to a health plan for items or services that the individual paid for in full out-of-pocket. </li></ul><ul><li>Minimum Necessary Rule . New regulations will be released clarifying the “minimum necessary” PHI that may be disclosed in limited data sets and for other purposes. </li></ul><ul><li>Restrictions on sales of EHRs or PHI . Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale. </li></ul><ul><li>Accounting of certain PHI disclosures required if covered entity uses an EHR . Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR. </li></ul><ul><li>Access to Certain Information In Electronic Format . An individual has a right to obtain from the covered entity a copy of his or her information in an electronic format. </li></ul><ul><li>Conditions on certain communications as part of healthcare operations . Limits the healthcare operations exception for communications when the covered entity receives remuneration for the communication except in limited circumstances. </li></ul>
  29. 29. Thank you! M. Peter Adler Attorney at Law 202.220.1278 Mobile 202.251.7600 Direct Fax 800.684.2749 [email_address] Hamilton Square 600 Fourteenth Street, N.W. Washington DC 20005-2004 202.220.1200 Fax 202.220.1665 www.pepperlaw.com