Health Care Law Reform : Health Care Lawyer & Attorney : McDermott Will & Emery Law Firm : Managed Care, Product Regulations

The Facts 

On January 13, 2010, the U.S. Department of Health and Human Services (HHS) proposed requirements for hospitals, physicians and other eligible providers to earn incentives for the adoption and “meaningful use” of “certified electronic health record (EHR) technology.”  Incentives in the form of enhanced Medicare and Medicaid reimbursement are received by demonstrating meaningful use of certified EHR technology.  The incentives start in 2011, but become penalties by 2015 through reduced reimbursements for those who do not achieve meaningful use.  This initial set of standards is intended to begin to define “a common language to ensure accurate and secure health information exchange across different EHR systems.”  Certified EHR technology can be either a “complete EHR or a combination of EHR modules" to enable providers to adapt to innovations in a rapidly evolving industry while ensuring access to a wide array of technology options, from vendor-based products, to homegrown technology, to hosted services on a subscription basis, to open source products.  For more information, see McDermott Will & Emery’s White Paper “HHS Establishes the Initial Pathway for Qualifying for HITECH Act Incentives Dollars for Meaningful Use of Certified Electronic Health Record Technology.”

What’s at Stake

Eligible hospitals and professionals may receive incentive payments for achieving and may avoid penalties for failing to achieve meaningful use of certified EHR technology.  Some hospitals and doctors have already expressed concern about the all or nothing structure of the proposed rule, which requires providers to meet 23 criteria at once, or fail to qualify at all.  Vendors of EHR systems or EHR modules must ensure their products have the features and functionality to be certified and to enable meaningful use although the certifying bodies have yet to be certified.

Steps to Consider

Providers, vendors of health information technology and other interested parties should consider submitting comments to HHS prior to the March 15, 2010, deadline.  

In selecting an EHR, ensure that the EHR product by itself or combined with other EHR modules will achieve, or be modified by the vendor to achieve, certification.  Assess interoperability of modules.  Consider contractual commitments covering interoperability, certification and meaningful use. 

Vendors should develop a road map or work-around to ensure that products will be certified and that they will enable meaningful use.  Vendors should be ready to address customer demand for assurances.   

• Email This
• Print
• Share Link

The Facts

On October 30, 2009, the U.S. Department of Health and Human Services issued an Interim Final Rule (the Rule) to amend the existing administrative simplification enforcement regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rule implements amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009. Prior to enactment of the HITECH Act, covered entities under HIPAA (health care providers that conduct certain transactions in electronic form, health plans and health care clearinghouses) were subject to HIPAA civil money penalties of up to $100 per violation, with an annual cap of $25,000 for identical violations within a calendar year. The Rule preserves this structure for violations occurring prior to February 18, 2009. Violations occurring on or after February 18, 2009 are subject to a new penalties scheme, which ranges from a minimum per-offense penalty of $100 to $50,000, depending on the level of culpability. The Rule also increases the annual cap for identical violations from $25,000 to $1.5 million, and alters the available affirmative defenses to a HIPAA enforcement action. Business associates are directly subject to the new enforcement scheme beginning February 17, 2010. HIPAA’s criminal penalties remain unchanged.

What’s at Stake

The new HIPAA civil money penalties scheme that will be enforced under the Rule substantially increases the potential penalties for HIPAA violations by covered entities occurring on or after February 18, 2009. Business associates will be directly subject to HIPAA, including the new enforcement scheme, for the first time beginning February 17, 2010. Prior to February 17, 2010, business associates are only subject to HIPAA requirements through contracts with covered entities.

Steps to Consider

Covered entities and business associates should review their current HIPAA compliance policies and procedures to ensure they are meeting amended requirements.  Business associates that previously lacked HIPAA privacy and security policies and procedures should implement policies and train their work force. McDermott has prepared HIPAA privacy policies and forms for covered entities and business associates.  A preview of the manual's table of contents for covered entities can be viewed here, and the business associates table of contents can be viewed here.

• Email This
• Print
• Share Link

The Facts

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) includes significant investment in health information technology to facilitate the adoption of a U.S.-wide health information network and requires HIPAA covered entities, business associates, vendors of personal health records and related entities to notify individuals when their personal health information is subject to a breach of security.  The U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) recently issued rules relating to these security breach notification requirements.  Compliance with these regulations will require the expenditure of significant time and expense, and, therefore, health care and related industries should begin immediately familiarizing themselves with the rulemakings and updating their processes and procedures to comply accordingly. 

What’s at Stake

HIPAA covered entities, business associates, vendors of personal health records and related entities could be subject to penalties for not properly notifying patients or customers, as applicable, of security breaches involving the patients’ or customers’ individually identifiable health information.  Note that while the HHS rule is effective September 23, 2009, HHS will delay enforcement for six months.  This means that HHS will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.  Similarly, while the FTC rule is effective September 24, 2009, the FTC will delay enforcement for six months.  This means that the FTC will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.

Steps to Consider

• If your organization is a HIPAA covered entity, business associate, vendor of personal health records or related entity, review the HHS and FTC regulations, which can be viewed here and here, respectively. 
• Affected entities should immediately begin to develop a compliance plan, because the effective date of the HHS rule is September 23, 2009, and the effective date of the FTC rule is September 24, 2009.
• Consider filing comments on the HHS rule on or before the October 23, 2009, deadline. 
• For a summary of these regulations, review McDermott’s White Paper entitled “Regulatory Update: HITECH’s HHS and FTC Security Breach Notification Requirements.”

• Email This
• Print
• Share Link

The Facts

The Office of the National Coordinator for Health Information Technology’s HIT Policy Committee has taken another important step towards defining “meaningful use” under the American Recovery and Reinvestment Act of 2009 (ARRA). Hospitals and eligible providers must meet the requirements for “meaningful use” of certified electronic health records (EHRs) in order to qualify for Medicare incentive payments under ARRA. Recently, the HIT Policy Committee approved revised recommendations for an initial definition of “meaningful use.” These recommendations are outlined in a lengthy matrix, which sets forth measures for meeting specified objectives for each of the years 2011, 2013 and 2015:

• Goal for 2011 objectives – Capacity to electronically capture in coded format and report health information, and use that information to track key clinical conditions
• Goal for 2013 objectives – Ability to guide and support care processes and care coordination
• Goal for 2015 objectives – Capability to achieve and improve performance and support care processes and key health system outcomes

The HIT Policy Committee also recommended that the incentives be paid according to an “adoption year” timeframe rather than a calendar year timeframe. Accordingly, the objectives and measures for the year 2011 would apply to an organization’s first adoption year, if an organization is not ready for incentive payments until after 2011. The U.S. Department of Health and Human Services (HHS) will use the recommendations to develop regulations to implement the incentive payments under ARRA. 

What’s at Stake

Hospitals and eligible providers that meet the requirements of “meaningful use” of certified EHRs will be eligible for Medicare incentive payments beginning in 2011. Medicare payments may be reduced to hospitals and providers that do not meet the requirements for “meaningful use” of certified EHRs by 2015.

Steps to Consider

Evaluate how the 2011 Objectives and Measures in the Meaningful Use Matrix may require changes in the operations of your organization, anticipating that some form of the objectives and measures may ultimately be included in the regulations promulgated by HHS. Monitor regulatory actions by HHS regarding the definition of “meaningful use” and Medicare incentive payments under ARRA.

• Email This
• Print
• Share Link

The Facts
The American Recovery and Reinvestment Act authorizes the Centers for Medicare & Medicaid Services (CMS) to provide incentives to certain physicians and hospitals who achieve “meaningful use” of a certified electronic health record (EHR) system.

The act established the Health Information Technology (HIT) Policy Committee, which issued a draft definition of “meaningful use” at its June 16, 2009, meeting.  The committee recommended a progressive definition, where “meaningful use” is ultimately linked to achieving measurable outcomes in patient engagement, care coordination and population health.  The 2011 objectives are intended to establish a foundation for affecting a more comprehensive set of health outcomes in the future.  By 2015, the objectives are to achieve and improve performance and support care processes.  A matrix including the full proposed definition of “meaningful use” is available at http://healthit.hhs.gov/.

The committee has asked a workgroup of the committee to submit a new set of recommendations for “meaningful use” at the committee’s July meeting.  The committee is currently accepting comments regarding the proposed draft, but it is not clear whether it will offer a comment period after the revised draft.  The committee’s recommendations are non-binding, but will provide guidance to CMS, which will ultimately establish the definition for “meaningful use.”

What’s at Stake
Beginning in 2011, those physicians and hospitals who can demonstrate “meaningful use” of a certified EHR system will receive incentive payments through additional Medicare reimbursement.  Beginning in 2015, those who have not achieved “meaningful use” will be subject to certain downward adjustments in their Medicare reimbursement rates.

Steps to Consider

• Consider submitting comments to the Department of Health and Human Services (HHS) on the draft definition of “meaningful use.”  Comments are due by 5 pm Eastern time, June 26, 2009.
• If your organization does not have an EHR system, consider options for EHR technology that fit within your organization’s structure and that will assist you in capturing data to meet evolving “meaningful use” requirements.
• If your organization already has an EHR, examine the systems and consider internal and external steps necessary to implement flexibility in capturing data required for an evolving definition of “meaningful use.”
• Obtain contractual commitments from EHR system vendors to assist you in achieving “meaningful use.”

• Email This
• Print
• Share Link

Guest commentary from Susan Reynolds, M.D., Ph.D., president and CEO of the Institute for Medical Leadership, and Jay Volk, president of Workflow.com.

The concept of interoperability is part of the definition of “meaningful use.”  Therefore, many hospitals and physicians that want to position themselves for the Medicare incentives are asking whether EHR systems will “talk” to each other, i.e., what standards will be set by the administration so that these information systems are easily integrated, and when those standards will be set.

The administration should carefully consider its ultimate goals when developing the standard for “meaningful use.”  If the administration’s goal is to get technology in the hands of doctors, it should consider writing rules that define meaningful use very liberally.  If the goal of the administration is return on investment, it should consider writing rules that define meaningful use with measurable goals.  A liberal standard may mean more practitioners buying, but not ultimately using EHRs as effectively as they could be used.  A stricter standard may mean fewer practitioners purchasing EHRs, but those practitioners will make the commitment to use them and likely see the metric benefits of EHR use.  Of course, the devil in the details of “meaningful use” is usability.  Vendors will need to respond to the new federal regulations to make their systems user-friendly for physicians and hospitals.

Susan Reynolds, M.D., Ph.D., can be contacted at sreynolds@medleadership.com or +1 800 361 5321. Jay Volk can be contacted at jay@workflow.com or +1 440 827 2020.

• Email This
• Print
• Share Link

The Facts
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, includes Medicare incentives for adoption and meaningful use of certified electronic health record (EHR) technology.   To be eligible for incentive payments, hospitals and physicians must use EHRs in a meaningful manner, exchange electronic health information to improve the quality of care, and report on clinical quality and other measures.  Additional guidance regarding these parameters is expected from the U.S. Department of Health and Human Services through the regulatory process.  The Health Information and Management Systems Society has published recommendations regarding the definition of “meaningful use”: 

• Recognize Certification Commission for Healthcare Information Technology (CCHIT) as the certifying body of EHRs.
• Adopt metrics that can be reasonably captured and reported beginning in 2011.  These metrics should then become increasingly stringent every two or more years to achieve incremental maturation of “meaningful use.”
• Coordinate with Health Information Technology Standards Panel and Integrating the Healthcare Enterprise to publish implementation guides and standards for output of EHR data to bridge existing gaps in interoperability of health information.
• Collaborate with CCHIT to fairly evaluate hospitals and physicians that use “best of breed” systems from multiple vendors or open source technologies.

What’s at Stake
Hospitals and physicians that meet the requirements of “meaningful use” of certified EHRs will be eligible for Medicare incentive payments beginning in 2011.   Medicare payments may be reduced to hospitals and physicians that do not meet the requirements for “meaningful use” of certified EHRs by 2015. 

Steps to Consider

• If your organization is considering acquiring an EHR system, seek counsel on the legal requirements of “meaningful use” (including interoperability) and anticipate the timeframe for your organization to meet these requirements before the eligibility dates. 
• Obtain a contractual commitment from the vendor that the system will permit usage in accordance with the federal definition of “meaningful use.”
• Conduct due diligence on and obtain contractual commitments from your vendor to make sure it is certified and can meet the requirements of certification panels.
• When selecting an EHR system, obtain stakeholder endorsements to support system success.

• Email This
• Print
• Share Link