South carolina healthcare financial management association
Download
1 / 124

South Carolina Healthcare Financial Management Association - PowerPoint PPT Presentation


  • 112 Views
  • Updated On :

South Carolina Healthcare Financial Management Association. Legal Implications of HIT: Practical Tips for Compliance and Vendor Contracting June 1, 2011 Mark L. Bender, JD (803) 253-8212 [email protected] Jeanne M. Born, RN, JD (803) 540-2038 [email protected] Nexsen Pruet, LLC

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'South Carolina Healthcare Financial Management Association' - bishop


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
South carolina healthcare financial management association l.jpg
South Carolina Healthcare FinancialManagement Association

Legal Implications of HIT: Practical Tips for Compliance and Vendor Contracting

June 1, 2011

Mark L. Bender, JD

(803) 253-8212

[email protected]

Jeanne M. Born, RN, JD

(803) 540-2038

[email protected]

Nexsen Pruet, LLC

http://www/nexsenpruet.com


Hipaa hitech l.jpg
HIPAA/HITECH

  • Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

  • American Recovery and Reinvestment Act of 2009

    • Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”);

      • Division A, Title VIII, Subtitle D – Privacy

      • Division B, Title IV – Medicare/Medicaid Incentives

  • Assumptions: I will assume that you all speak “HIPAA” & “HITECH”


Hipaa hitech3 l.jpg
HIPAA/HITECH

  • HITECH made multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and others.

  • HITECH also provides for economic incentives to encourage the implementation of EHRS for hospitals and other “eligible providers.”

  • This presentation is intended to be a high-level overview of some, not all, of the legal issues that arise out of the changes effected by HITECH and the regulations & guidance published pursuant to HITECH (to date) and implementing HIT.


Overview l.jpg
Overview

  • Legal & compliance issues with implementing the HITECH changes in the Privacy and Security regulations.

  • Legal & compliance issues with implementing the Medicare & Medicaid Incentive Program meaningful use regulations.

  • Additional legal issues in HIT implementation including:

  • Practical tips for EHR system contracting.


Proposed regulations l.jpg
Proposed Regulations

  • July 14, 2010: Notice of Proposed Rulemaking: Modifications of the HIPAA Privacy, Security, and Enforcement Rules Under HITECH (the “NPRM”)

  • Purpose: To implement several provisions of HITECH and broaden individual privacy rights.

  • Still no final rule.

  • A copy of the NPRM is at the following website:

    http://edocet.access.gpo.gov/2010/2010-16718.htm


July 14 2010 nprm l.jpg
July 14, 2010 NPRM

  • The July 14 NPRM implements the HITECH provisions, which were to be effective February 17, 2010.

  • However . . .

  • The NPRM states the following: “We note that the final rule will not take effect until after most of the provisions of the HITECH Act became effective on February 18, 2010. We recognize that it will be difficult for covered entities and business associates to comply with the statutory provisions until after we have finalized our changes to the HIPAA Rules. In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.” 75 F.R. 40868, 40871.


July 14 2010 nprm7 l.jpg
July 14, 2010 NPRM

  • March 15, 2010 on the OCR website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html

    • “Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM, and the final rule that will follow, provide specific information regarding the expected date of compliance and enforcement of these new requirements.”

  • Upshot? While this was a “stay of execution” we highly recommend that you go forward with taking steps toward compliance – both Covered Entities and Business Associates.


Business associates subject to security provisions l.jpg
Business Associates Subject to Security Provisions

  • Section 13401(a) provides that certain Security Standard provisions apply to Business Associates (“BA”) in the same manner as Covered Entities (“CE”):

    • 45 CFR §164.308 – Administrative Safeguards

    • 45 CFR §164.310 – Physical Safeguards

    • 45 CFR §164.312 – Technical Safeguards

    • 45 CFR §164.316 – Policies and procedures and documentation requirements

    • The additional requirements of HITECH that relate to security and that are made applicable with respect to CEs shall also be applicable to BAs.

  • And shall be incorporated into the BA Agreement (“BAA”) between the BA and the CE.


Business associates subject to security provisions nprm l.jpg
Business Associates Subject to Security Provisions: NPRM

  • Accountants are business associates if the accountant provides accounting services on behalf of a covered entity and the accountant uses PHI (includes payment information) to provide those services.

  • Also adds obligations for BAs to pass on BA obligations to subcontractors.


Section 13401 c guidance on security rule risk analysis requirements l.jpg
Section 13401(c): Guidance on Security Rule Risk Analysis Requirements

  • On July 14, 2010, HHS published guidance on compliance with risk analysis requirements under the security rule:

  • http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

  • Very useful for CEs and BAs.

  • Will be updated after the final HITECH implementing regulations are published.

  • A risk analysis (conduct or review) is also one of the required measures in the meaningful use regulations.


Section 13404 application of privacy provisions and penalties to bas l.jpg
Section 13404: Application of Privacy Provisions and Penalties to BAs

  • (a) Provides that the following privacy provisions apply directly to BAs:

    • 45 C.F.R. §§ 164.502(e) and 164.504(e) (Re: BAAs)

    • The additional provisions in HITECH that relate to privacy that apply to CEs also apply to BAs.

    • NPRM broadly includes BAs in §§ 164.502 and 164.504(e).

    • NPRM includes new provision on subcontractors of BAs.

  • (b) Provides that a BA must take steps to cure a breach of the BAA by the CE, terminate the BAA, or report to DHHS if the CE violates the BAA (“Snitch provision”).

  • (c) Provides that if a BA violates (a) or (b), then the BA is subject to the HIPAA Statutory civil and criminal penalties (42 U.S.C. §§1320d-5 & 1320d-6).


Civil and criminal provisions of hipaa apply to bas l.jpg
Civil and Criminal Provisions of HIPAA apply to BAs Penalties to BAs

  • Section 13401(b) provides that if a BA violates any of the Security provisions in Section 13401(a), the civil and criminal provisions of the HIPAA statute apply to the BA in the same manner as a CE.

  • Significant for BAs: Previously, the only recourse against a BA was an action under the BAA.


Criminal penalties 42 u s c 1320d 6 l.jpg
Criminal Penalties: Penalties to BAs42 U.S.C. §1320d-6

  • (a) A person who knowingly and in violation of this part--

  • (1) uses or causes to be used a unique health identifier;

  • (2) obtains IIHI relating to an individual; or

  • (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section.

  • (b) Penalties

  • A person described in subsection (a) of this section shall--

  • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

  • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

  • (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.


Notification of breach section 13402 l.jpg
Notification of Breach: Penalties to BAsSection 13402

  • A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach.

  • BAs shall notify the CE of such breaches.


Breach section 13400 1 l.jpg
Breach: Section 13400(1) Penalties to BAs

  • (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.


Breach section 13400 116 l.jpg
Breach: Section 13400(1) Penalties to BAs

  • (B) EXCEPTIONS.—The term ‘‘breach’’ does not include—

  • (i) any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a CE or BA if—

  • (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the CE or BA; and

  • (II) such information is not further acquired, accessed, used, or disclosed by any person; OR

  • (ii) any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA to another similarly situated individual at same facility; and

  • (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.


Definition of breach l.jpg
Definition of Breach Penalties to BAs

  • Published the interim final rule on August 24, 2009: 45 C.F.R. §§164.400 – 164.414.

  • Modified the definition of breach . . .

  • Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows:

    • Poses a significant risk of financial reputational or other harm to the individual.

  • Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009.

  • This was not addressed in the NPRM.


Status of breach notification interim final rule final rule l.jpg
Status of Breach Notification Interim Final Rule & Final Rule

  • Interim Final Breach Notification Rule can be found at: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

  • A final breach rule was submitted to the OMB in late July of 2010, but it was withdrawn.

  • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html

  • Upshot: the interim final rule stands. Stay tuned.


Unsecured phi section 13402 h l.jpg
Unsecured PHI: RuleSection 13402(h)

  • Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

  • Guidance published April 17, 2009.


Notification of breach l.jpg
Notification of Breach Rule

  • Guidance published April 17, 2009 provides that the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are:

    • Electronic PHI that has been encrypted

      • Data at rest – NIST Special Publication 800-111

      • Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113)

    • Media on which PHI is stored or recorded has been destroyed:

      • Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed

      • Electronic media: cleared or purged consistent with NIST Special Publication 800-88

  • FIPS: www.itl.nist.gov/fipspubs/index.htm

  • NIST: www.nist.gov/


Notification of breach21 l.jpg
Notification of Breach Rule

  • Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach.

  • Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference.

  • If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached.

  • Regulations add provisions for deceased individuals and when contact information is insufficient or out of date:

    • Fewer than 10: alternative form of written notice, telephone or other means

    • 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information.


Notification of breach22 l.jpg
Notification of Breach Rule

  • If notification is urgent because of possible misuse, may telephone the individual(s)

  • If 500 or more individuals are involved, notice must be provided to prominent media outlets.

  • Notice must be provided to the Secretary of DHHS;

    • if 500 or more individuals are involved, this notice must be given immediately

    • If less that 500, the CE may keep and log and disclose to the Secretary annually.

  • The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved.

  • See the OCR posting (225 recorded breaches >500 to date) at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html


Notification of breach23 l.jpg
Notification of Breach Rule

  • Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

  • Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

    • Submit Notice of a Breach Affecting 500 or More Individuals

    • Submit Notice of a Breach Affecting Fewer than 500 Individuals


Notification of breach24 l.jpg
Notification of Breach Rule

  • Content of notice:

    • Brief description of what happened (include date of breach and date of discovery)

    • A description of the types of Unsecured PHI involved in the breach

    • The steps that individuals should take to protect themselves from potential harm

    • A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches

    • Contact information (toll-free telephone number, an e-mail address, web site, or postal address)


Notification of breach25 l.jpg
Notification of Breach Rule

  • Notice can be delayed if necessary if law enforcement determines that notice:

    • Would impede a criminal investigation

    • Cause damage to national security


Section 13405 a restrictions l.jpg
Section 13405(a): Restrictions Rule

  • Provides that a CE must comply with a request for a restriction (45 C.F.R. §164.522(a)(1)(i)(A)) in the use or disclosure of PHI if the purpose of the use or disclosure is NOT treatment and if payment is out of pocket in full.

  • Upshot: Amend your HIPAA policies and procedures and your Notice of Privacy Practices to add this requirement and flag your PHI if such a restriction is requested.

  • NPRM implements this provision.


Section 13405 b disclosures limited minimum necessary l.jpg
Section 13405(b): Disclosures Limited: Minimum Necessary Rule

  • (b)(1) A CE will be in compliance with the minimum necessary standard (45 C.F.R. §164.502(b)) if the CE uses, discloses or requests only a limited data set (45 C.F.R. §514(e)(2)) unless the limited data set is not sufficient, then the minimum necessary PHI to accomplish the purpose may be disclosed.

  • DHHS is to publish guidance on what constitutes “minimum necessary” within 18 months of, February 17, 2009, the publication of HITECH. Interestingly, the Notice of Proposed Regulations did not define the “minimum necessary standard.”

  • Publication was to be made by August 17, 2010.

  • No guidance published as yet.

  • Upshot? Guidance will affect multiple policies/procedures and likely business practices as well. Be on the lookout!


Section 13405 c accounting of disclosures l.jpg
Section 13405(c): Accounting of Disclosures Rule

  • (c) If a CE maintains an EHR with respect to PHI, then the accounting of disclosures includes disclosures for treatment, payment and health care operations (“TPO”), but

  • The accounting may be requested for only the prior three (3) years.

  • DHHS was to promulgate regulations within 6 months after DHHS adopts standards on accounting for disclosures for TPO in Section 3002(b)(2)(B)(iv) of HITECH.

  • The proposed date for accounting of disclosures was January 11, 2011.


Section 13405 c accounting of disclosures29 l.jpg
Section 13405(c): Accounting of Disclosures Rule

  • On May 3, 2010, DHHS published a “request for information” asking for information re:

    • Interests of individuals as to disclosures for TPO through an EHR;

    • The administrative burden on CEs and Bas;

    • Other information to help rulemaking.

  • Comment period ended May 18, 2010.

  • The NPRM was published in the Federal Register May 31, 2011:

  • See: http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf


Section 13405 c accounting of disclosures nprm l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Divided into 2 rights: Applies to CEs and BAs

  • Right to an accounting (paper & EHR) – 3year period

  • Right to an access report (EHR only) – 3year period

    • Includes who has accessed the individual’s E-PHI held by a CE or BA.

    • Does not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the CE.

    • identifies the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, a description of the PHI that was accessed; and

    • the user’s action, but only to the extent that such information is available.

    • Right to an access report must be added to the NPP.


Section 13405 c accounting of disclosures nprm31 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Exempts accounting of impermissible disclosures that have been reported to the individual as a breach.

  • Disclosures included in the accounting:

    • For public health activities except disclosures to report child abuse

    • For judicial and administrative proceedings

    • For law enforcement purposes

    • To avert a serious threat to health or safety

    • For military and veterans activities, the Department of State’s medical suitability determinations, and government programs providing public benefits

    • For workers’ compensation


Section 13405 c accounting of disclosures nprm32 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Disclosures to carry out treatment, payment and health care operations as provided in §164.506 would continue to be exempt for paper records.

  • An individual would be able to obtain information (such as the name of the person accessing the information) for all access to E-PHI stored in a designated record set for purposes of treatment, payment and health care operations.


Section 13405 c accounting of disclosures nprm33 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Excludes from the ACCOUNTING

    • disclosures about victims of abuse, neglect, or domestic violence under § 164.512(c);

    • disclosures for health oversight activities under § 164.512(d);

    • disclosures for research purposes under § 164.512(i);

    • disclosures about decedents to coroners and medical

    • examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes under § 164.512(g) and (h);

    • disclosures for protective services for the President and

    • others under § 164.512(k)(3); and

    • most disclosures that are required by law (including disclosures to the Secretary to enforce the HIPAA Administrative Simplification Rules)

  • But, the forgoing is to be available in the ACCESS REPORT to the extent these disclosures are made through the EHR.


Section 13405 c accounting of disclosures nprm34 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Content of the accounting:

    • The date, or approximate date or period of time during which the disclosure occurred which, at a minimum, shall include the month and year or a description of when the disclosure occurred from which an individual can readily determine the month and year of the disclosure;

    • The name of the entity or person who received the PHI and, if known, the address of such entity or person

    • Brief description of the type of PHI disclosed

    • Brief description of the purpose of the disclosure


Section 13405 c accounting of disclosures nprm35 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Provision of the Accounting

    • CE must act on the individual’s request for an accounting no later than 30 days after receipt of such request

    • If the CE is unable to provide the accounting within that time, the CE may extend the time by no more than 30 days provided that (1) the CE provides a written statement of the reason for the delay and the date by which the CE will provide the accounting and (2) the CE may have only 1 such extension

    • CE must provide the accounting in the form and format requested by the individual (there are a few exceptions)

    • CE must provide the first accounting to an individual in any 12-month period without charge


Section 13405 c accounting of disclosures nprm36 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Documentation of the Accounting:

    • CE or BA must retain the information required to be included in an accounting under this section for three years from the date of disclosure

    • CE must document and retain the following:

      • A copy of the written accounting that is provided to the individual

      • Titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals


Section 13405 c accounting of disclosures nprm37 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Content of the Access Report: (likened to an audit log – as required under the Security Rule)

  • All disclosures AND USES of E-PHI in the designated record set (not limited to uses and disclosures made through the EHR).

  • CE must provide the individual with an access report that includes the following:

    • Date of access; time of access; name of natural person, description of what information was accessed; description of action by the user.

  • CE shall provide the individual with the option to limit the access report to a specific date, time period, or person.


Section 13405 c accounting of disclosures nprm38 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Provision of the Access Report:

    • CE must act on the individual’s request for an access report no later than 30 days after receipt.

    • CE must provide the individual with the access report in a machine readable or other electronic form and format requested by the individual, if it is readily producible in such form and format.

    • CE must provide the first access report to an individual in any 12-month period without charge.


Section 13405 c accounting of disclosures nprm39 l.jpg
Section 13405(c): Accounting of Disclosures: NPRM Rule

  • Documentation of the Access Report:

  • CE or BA must retain the information required to be included in an access report under this section for three years from the date of the use or disclosure.


Section 13405 c accounting of disclosures cont d l.jpg
Section 13405(c): Accounting of Disclosures (cont’d) Rule

  • In processing a request for an accounting, the CE may elect:

    • An accounting of disclosures of the CE and BAs; or

    • An accounting of disclosures of the CE and a list of BAs the individual can contact with contact information.


Section 13405 d prohibition on the sale of ehrs or phi l.jpg
Section 13405(d): Prohibition on the Sale of EHRs or PHI Rule

  • A CE or BA shall NOT directly or indirectly receive remuneration in exchange for any PHI of an individual unless the CE obtains a valid HIPAA authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the receiver.

  • The prohibition does not apply to the following disclosures:

    • Public health activities (45 C.F.R. §164.512(b))

    • Research purposes (45 C.F.R. §164.512(i)) and the price charged reflects the cost of preparation and transmittal of the data;

    • Treatment

    • Due diligence disclosures in connection with the sale or transfer of assets of a potential successor in interest

    • Disclosures to the BA

    • Access by the individual subject of the PHI

    • As otherwise determined by DHHS


Section 13405 d prohibition on the sale of ehrs or phi42 l.jpg
Section 13405(d): Prohibition on the Sale of EHRs or PHI Rule

  • Regulations were to be published by August 17, 2010 . . . Stay tuned.

  • Upshot? Review vendor contracts to be sure that appropriate BA language is part of the agreement.


Section 13405 e access to certain information in electronic format l.jpg
Section 13405(e): Access to Certain Information in Electronic Format

  • In applying the Privacy Standards access provisions (45 C.F.R. §164.524), an individual has the right to obtain information in electronic format and direct the CE to provide it directly to an entity or person identified by the individual, provided the choice is clear, conspicuous and specific.

  • Any fee charged by the CE for such access cannot be greater than the CE’s actual labor cost.

  • NPRM implements this provision.

  • Upshot?

    • Update your Access policy/procedure to implement – work through issues related to how you will allow such access in a manner consistent with your security policies/procedures.

    • Update your Notice of Privacy Practices.

    • Note: Meaningful Use provisions require that access is provided within 3 days!


Section 13406 a conditions on certain contacts as part of hco marketing l.jpg
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing

  • Generally, a communication by a CE or BA that is about a product or service and that encourages recipients of the communication to purchase or use the product or service [shall not be considered a health care operation (“HCO”)][is marketing and prohibited unless you obtain an authorization] unless the communication is made:

    • that describes health-related products or services provided by the CE making the communication;

    • for the treatment of a patient; or

    • for case management or care coordination of a patient, or to direct or recommend alternative treatments, health care providers or settings of care to the patient.


Section 13406 a conditions on certain contacts as part of hco marketing45 l.jpg
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing

  • If the CE receives payment in exchange for any of those communications, then the communication is not a HCO (authorization required) except where:

    • Such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any direct or indirect payment received by such CE (not for treatment) in exchange for making a communication is reasonable in amount; &

    • Where each of the following conditions apply:

      • The communication is made by the CE; and

      • The CE making the communication obtains from the recipient of the communication a valid HIPAA authorization; Or

    • Where each of the following conditions apply:

      • The communication is made by a BA on behalf of a CE; and

      • The communication is consistent with the written agreement between the BA and CE.


Section 13406 a conditions on certain contacts as part of hco marketing46 l.jpg
Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing

  • Reasonable: DHHS to define by regulation.

  • Direct or Indirect payment: Does not include any payment for treatment as defined in 45 C.F.R. §164.501.

  • NPRM proposing significant changes in this provision to simplify . . .


Marketing and the july 14 2010 nprm l.jpg
Marketing and the July 14, 2010 NPRM HCO: Marketing

  • Revisions to better distinguish the exception for treatment communication form those communications made for health care operations;

  • Add a definition for “financial remuneration;”

  • Health care operations communications for which financial remuneration is received are marketing and require authorization;

  • Written treatment communications for which financial remuneration is received are subject certain notice and opt out requirements (include in the NPP);

  • Provide a limited exception for refill reminders; and etc.

  • Upshot?

    • Review your marketing activities and update your HIPAA marketing policies/procedures.

  • Too confusing!!! Stay tuned.


Slide48 l.jpg
Section 13406(b): Conditions on Certain Contacts as Part of Health Care Operations: Opt out of Fundraising

  • Any written fundraising request shall include, in a clear and conspicuous manner, an opportunity for the individual to elect to opt out of receiving future fundraising communications.

  • Such election shall be treated as a revocation of a HIPAA authorization.

  • NPRM implements this provision.

  • Upshot?

    • Review your fundraising communications to assure that all communications include opt out language.

    • Monitor compliance with patients who do opt out.


Section 13408 ba contract required for certain entities l.jpg
Section 13408: BA Contract Required for Certain Entities Health Care Operations: Opt out of Fundraising

  • Requires the following entities to enter into a BAA with the CE:

    • Health Information Exchange Organizations;

    • Regional Health Information Organizations;

    • E-prescribing Gateway; and

    • Each vendor that contracts with a CE to allow the CE to offer a PHR to patients as part of its EHR.

  • Upshot: If you disclose PHI to HIEOs, RHIOs, or an E-prescribing Gateway, be sure to enter into a BAA with the entity.


Section 13409 clarification of application of wrongful disclosures criminal penalties l.jpg
Section 13409: Clarification of Application of Wrongful Disclosures Criminal Penalties

  • Amends 42 U.S.C. §1320d-6(a) to make it clear that the criminal penalties apply to employees and other individuals.


Section 13410 a b improved enforcement l.jpg
Section 13410(a) & (b): Improved Enforcement Disclosures Criminal Penalties

  • Section 13410(a) Significantly revises 42 U.S.C. §1320d-5 to include non-compliance due to willful neglect and requires DHHS to investigate if a complaint indicates a violation due to willful neglect.

  • Section 13410(b)

    • Makes 13410(a) changes effective 24 months from the date HITECH published.

    • DHHS required to promulgate regulations to implement this provision within 18 months of the publication of HITECH – not published yet.


Section 13410 c improved enforcement l.jpg
Section 13410(c): Improved Enforcement Disclosures Criminal Penalties

  • Distribution of Civil Money Penalties (“CMPs”):

    • $$ go to the Office for Civil Rights to be used for enforcement purposes.

      - Harmed individuals may share in civil monetary penalties. Within three years a mechanism for collection will be developed.


Section 13410 d improved enforcement l.jpg
Section 13410(d): Improved Enforcement Disclosures Criminal Penalties

  • Tiered increase in CMPs:

    • (a) $100 for each violation, the total not to exceed $25,000 for identical violations during a calendar year;

    • (b) $ 1,000 for each violation, the total not to exceed $100,000 for identical violations during a calendar year;

    • (c) $ 10,000 for each violation, the total not to exceed $250,000 for identical violations during a calendar year; and

    • (d) $ 50,000 for each violation, the total not to exceed $1,500,000 for identical violations during a calendar year.


Section 13410 d improved enforcement54 l.jpg
Section 13410(d): Improved Enforcement Disclosures Criminal Penalties

  • Application of tiers:

    • A violation where the person did not know and by exercising due diligence would not have known, the penalty will be not less than (a) but not more than (d).

    • A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d).

    • A violation due to willful neglect:

      • If corrected, the penalty will be not less than (c) but not more than (d);

      • If not corrected, the penalty will be not less than (d).


Interim final enforcement rule l.jpg
Interim Final Enforcement Rule Disclosures Criminal Penalties

  • Published October 30, 2009 and can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

  • Definitions:

    • Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.

    • Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

    • Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.


July 14 2010 nprm proposes changes l.jpg
July 14, 2010 NPRM Proposes changes Disclosures Criminal Penalties

  • NPRM proposes a change in the definition of reasonable cause to mean an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.

  • Other changes to strengthen and expand the OCR’s ability to enforce the Privacy and Security Standards.


Section 13410 e improved enforcement l.jpg
Section 13410(e): Improved Enforcement Disclosures Criminal Penalties

  • Enforcement by Attorneys General: In any case in which the AG has reason to believe that an interest of one or more of the residents of the State has been threatened or adversely affected by any person who violates a provision of HIPAA, the AG may bring a civil action on behalf of such residents to:

    • Enjoin further such violations; or

    • To obtain damages on behalf of such residents calculated by multiplying the number of violations by $100, the total not to exceed $25,000 for identical violations during a calendar year.

  • The court may award attorney fees.


Thought they were joking meet richard blumenthal l.jpg
Thought they were joking: Meet Richard Blumenthal Disclosures Criminal Penalties

  • Blumenthal, Connecticut’s Attorney General, brought the first suit under the HITECH act.

  • He brought suit against Health Net after they lost or had stolen a disk that contained personal information of 1.5 million people.


And he won l.jpg
… And He Won! Disclosures Criminal Penalties

  • Health Net spent over $7 million trying to fix the data breach.

  • Health Net settled for a $250,000 fine, with a possibility of an additional $500,000.

  • Lesson: Encrypt!


Hipaa hitech60 l.jpg
HIPAA/HITECH Disclosures Criminal Penalties

  • Constant rapid changes in the law.

  • Stay tuned for more changes as various rules due to be published going forward.

  • Questions about HIPAA/HITECH????


Medicare medicaid incentive program l.jpg
Medicare & Medicaid Incentive Program Disclosures Criminal Penalties

  • American Recovery and Reinvestment Act of 2009: Division B, Title IV – Medicare/Medicaid Incentives

  • Medicare & Medicaid EHR Incentive program NPRM published January 13, 2010

  • Final Rule published July 28, 2010

  • Resource:

    • https://www.cms.gov/EHRIncentivePrograms/

  • Significant changes from the NPRM to the final rule.


Glossary more terms l.jpg
Glossary: More Terms Disclosures Criminal Penalties

  • CEHR: Certified Electronic Health Record: 42 C.F.R. §§ 495.4

  • CPOE: Computerized Physician Order Entry

  • EH: Eligible Hospital: 42 C.F.R. §§ 495.4

  • EHR: Electronic Health Record: 42 U.S.C.A. §17921(5)

  • EP: Eligible Provider: 42 C.F.R. §§ 495.4

  • MU: Meaningful Use of certified EHR technology: 42 C.F.R. §§ 495.4

  • ONC: Office of the National Coordinator of Health Information Technology: 42 U.S.C.A. §300jj-11


Three general requirements l.jpg
Three General Requirements Disclosures Criminal Penalties

  • Requires the MU of Certified EHR technology.

  • Requires using Certified EHR technology for the electronic exchange of health information to improve efficiency and the quality of care.

  • Requires EHs and EPs to submit data on clinical quality measures to CMS to show MU.


Who is eligible to participate l.jpg
Who is eligible to participate? Disclosures Criminal Penalties

  • Medicare fee for service

    • EPs

      • MD or DO

      • DDS or DDM

      • DPM (Podiatrist)

      • Dr. of Optometry

    • EHs

      • Acute care hospitals

      • Critical Access Hosptials (CAHs)


Who is eligible to participate65 l.jpg
Who is eligible to participate? Disclosures Criminal Penalties

  • Medicare Advantage

    • MA EPs:

      • Must furnish, on average, at least 20 hours/week of patient-care services and be employed by the qualifying MA organization; or

      • Must be employed by, or be a partner of, an entity that through contract with the qualifying MA organization furnishes as least 80% of the entity’s Medicare patient care services to enrollees of the qualifying MA organization.

    • MA-Affiliated Eligible Hospitals: Will be paid under the Medicare fee for service EHR incentive program.


Who is eligible to participate66 l.jpg
Who is eligible to participate? Disclosures Criminal Penalties

  • Medicaid

    • EPs

      • Physicians

      • Nurse Practitioners

      • Certified Nurse Midwives

      • Dentists

      • PAs working at a FQHC or RHC that is led by a PA.

    • EHs

      Acute care hospitals (including CAHs)

      Children’s hospitals


Who is eligible to participate67 l.jpg
Who is eligible to participate? Disclosures Criminal Penalties

  • But, hospital-based EPs do not qualify.

    • Hospital based EP: An EP performing substantially all of their services in an inpatient hospital setting or emergency room.

  • EPs may participate in Medicare OR Medicaid incentive programs, not both (may switch one time before 2015).

  • EHs may participate in both Medicare and Medicaid incentive programs.

  • SCDHHS published a bulletin January 11, 2011 concerning SC’s Medicaid incentive program.


What is a certified ehr l.jpg
What is a Certified EHR? Disclosures Criminal Penalties

  • The ONC published the Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology Final Rule on July 28, 2010.

  • The ONC published Health Information Technology: Revisions to Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology on October 13, 2010.

  • Anticipates certifying a complete EHR and EHR Modules. 45 C.F.R. §§ 170.102 & 170.302.

  • Tracks the MU objectives and adds certain security related provisions. 45 C.F.R. §170.302.

  • Has provisions for ambulatory and inpatient settings. 45 C.F.R. §§ 170.304 & 170.306.


How are ehrs certified l.jpg
How are EHRs Certified? Disclosures Criminal Penalties

  • ONC published the Establishment of the Temporary Certification Program for HIT on June 24, 2010. (75 F.R. 36158-01). 45 C.F.R. 170.400, et. seq.; sunsets December 31, 2011.

  • ONC published the Permanent Certification program for HIT on January 7, 2011 (76 F.R. 1325). 45 C.F.R. 170.500, et. seq.


How are ehrs certified70 l.jpg
How are EHRs Certified? Disclosures Criminal Penalties

  • ONC authorized testing and certification bodies (ONC-ATCBs):

    • Certification Commission of Healthcare Information Technology (“CCHIT”)

    • Drummond Group, Inc.

    • InfoGard Laboratories, Inc.

    • Surescripts, LLC

    • ICSA Labs

    • SLI Global Solutions

  • See the current listing of Certified EHR Technology Vendors at: http://onc-chpl.force.com/ehrcert


What are the objectives measures l.jpg
What are the objectives/measures? Disclosures Criminal Penalties

  • Core set of objectives:

    • 15 for EPs;

    • 14 for EHs.

  • Menu set of objectives:

    • 10 for EPs and EHs.

  • EPs must meet 20 total.

  • EHs must meet 19 total.


Exception for medicaid eps and ehs l.jpg
Exception for Medicaid EPs and EHs Disclosures Criminal Penalties

  • If the EP or EH adopted (acquired and installed), implemented (commenced utilization of) or upgraded or expanded and used certified EHR technology, then the EP or EH need not demonstrate that it is a meaningful user until the second payment year.

  • Practice tip: If the EP received EHR software or information technology and training services as a donation under the Stark EHR donation exception/Anti-kickback safe harbor, then the EP’s Medicaid incentive payment may be affected:

    • Because the Medicaid incentive is about reimbursing the EP for adopting, implementing and upgrading or expanding EHR technology.


Meaningful use objectives l.jpg
Meaningful Use Objectives Disclosures Criminal Penalties

  • See the CMS comparison chart on the following 9 slides:

    • Provides a succinct summary of the objectives and measures;

    • Provides the comparison of the NPRM to final rule.

  • In addition, the following 17 slides were copied or paraphrased from PowerPoint presentations by CMS entitled “Medicare & Medicaid EHR Incentive Program Final Rule, Implementing the American Recovery & Reinvestment Act of 2009.”


Slide74 l.jpg


Implementation l.jpg
Implementation Disclosures Criminal Penalties

  • Will be implemented in three stages:

    • Stage 1 = 2011 and 2012

      • EPs must meet 20 of 25 objectives

      • EHs must meet 19 of 24 objectives

      • Reporting period = 90 days first year and one year subsequently.

    • Stage 2 =

      • Will be transitioned from Stage 1

      • DHHS will re-evaluate measures

      • Will include greater emphasis on HIE across institutional boundaries

    • Stage 3 = will be discussed in future rulemaking


Clinical quality measures l.jpg
Clinical Quality Measures Disclosures Criminal Penalties

  • 2011: EPs, EHs and CAHs demonstrating MU are required to submit aggregate CQM numerator, denominator and exclusion data to CMS or the States by attestation.

  • 2012: EPs, EHs and CAHs demonstrating MU are required to electronically submit aggregate CQM numerator, denominator, and exclusion data to CMS or the States.


Cqm eligible professionals l.jpg
CQM: Eligible Professionals Disclosures Criminal Penalties

  • Core, Alternate Core, and Additional CQM sets for EPs

    • EPs must report on 3 required core CQM, and if the denominator of 1 or more of the required core measures is 0, then EPs are required to report results for up to 3 alternate core measures

    • EPs also must select 3 additional CQM from a set of 38 CQM (other than the core/alternate core measures)

    • In sum, EPs must report on 6 total measures: 3 required core measures (substituting alternate core measures where necessary) and 3 additional measures

85


Cqm core set for eps l.jpg
CQM: Core Set for EPs Disclosures Criminal Penalties

86


Cqm alternate core set for eps l.jpg
CQM: Alternate Core Set for EPs Disclosures Criminal Penalties

87


Cqm additional set for eps l.jpg
CQM: Additional Set for EPs Disclosures Criminal Penalties

Diabetes: Hemoglobin A1c Poor Control

Diabetes: Low Density Lipoprotein (LDL) Management and Control

Diabetes: Blood Pressure Management

Heart Failure (HF): Angiotensin-Converting Enzyme (ACE) Inhibitor or Angiotensin Receptor Blocker (ARB) Therapy for Left Ventricular Systolic Dysfunction (LVSD)

Coronary Artery Disease (CAD): Beta-Blocker Therapy for CAD Patients with Prior Myocardial Infarction (MI)

Pneumonia Vaccination Status for Older Adults

Breast Cancer Screening

Colorectal Cancer Screening

Coronary Artery Disease (CAD): Oral Antiplatelet Therapy Prescribed for Patients with CAD

Heart Failure (HF): Beta-Blocker Therapy for Left Ventricular Systolic Dysfunction (LVSD)

Anti-depressant medication management: (a) Effective Acute Phase Treatment,(b)Effective Continuation Phase Treatment

Primary Open Angle Glaucoma (POAG): Optic Nerve Evaluation

Diabetic Retinopathy: Documentation of Presence or Absence of Macular Edema and Level of Severity of Retinopathy

Diabetic Retinopathy: Communication with the Physician Managing Ongoing Diabetes Care

Asthma Pharmacologic Therapy

Asthma Assessment

Appropriate Testing for Children with Pharyngitis

Oncology Breast Cancer: Hormonal Therapy for Stage IC-IIIC Estrogen Receptor/Progesterone Receptor (ER/PR) Positive Breast Cancer

Oncology Colon Cancer: Chemotherapy for Stage III Colon Cancer Patients

88


Cqm additional set for eps cont d l.jpg
CQM: Additional Set for EPs, cont’d Disclosures Criminal Penalties

Prostate Cancer: Avoidance of Overuse of Bone Scan for Staging Low Risk Prostate Cancer Patients

Smoking and Tobacco Use Cessation, Medical assistance: a) Advising Smokers and Tobacco Users to Quit, b) Discussing Smoking and Tobacco Use Cessation Medications, c) Discussing Smoking and Tobacco Use Cessation Strategies

Diabetes: Eye Exam

Diabetes: Urine Screening

Diabetes: Foot Exam

Coronary Artery Disease (CAD): Drug Therapy for Lowering LDL-Cholesterol

Heart Failure (HF): Warfarin Therapy Patients with Atrial Fibrillation

Ischemic Vascular Disease (IVD): Blood Pressure Management

Ischemic Vascular Disease (IVD): Use of Aspirin or Another Antithrombotic

Initiation and Engagement of Alcohol and Other Drug Dependence Treatment: a) Initiation, b) Engagement

Prenatal Care: Screening for Human Immunodeficiency Virus (HIV)

Prenatal Care: Anti-D Immune Globulin

Controlling High Blood Pressure

Cervical Cancer Screening

Chlamydia Screening for Women

Use of Appropriate Medications for Asthma

Low Back Pain: Use of Imaging Studies

Ischemic Vascular Disease (IVD): Complete Lipid Panel and LDL Control

Diabetes: Hemoglobin A1c Control (<8.0%)

89


Cqm eligible hospitals and cahs l.jpg
CQM: Eligible Hospitals and CAHs Disclosures Criminal Penalties

Emergency Department Throughput – admitted patients Median time from ED arrival to ED departure for admitted patients

Emergency Department Throughput – admitted patients – Admission decision time to ED departure time for admitted patients

Ischemic stroke – Discharge on anti-thrombotics

Ischemic stroke – Anticoagulation for A-fib/flutter

Ischemic stroke – Thrombolytic therapy for patients arriving within 2 hours of symptom onset

Ischemic or hemorrhagic stroke – Antithrombotic therapy by day 2

Ischemic stroke – Discharge on statins

Ischemic or hemorrhagic stroke – Stroke education

Ischemic or hemorrhagic stroke – Rehabilitation assessment

VTE prophylaxis within 24 hours of arrival

Intensive Care Unit VTE prophylaxis

Anticoagulation overlap therapy

Platelet monitoring on unfractionated heparin

VTE discharge instructions

Incidence of potentially preventable VTE

90


Incentive payments for eps l.jpg

IF the EP begins in: Disclosures Criminal Penalties

2011 = $44K

2012 = $44K

2013 = $39K

2014 = $24K

If the EP (HPSA) begins in:

2011 = $48.4K

2012 = $48.4K

2013 = $42.9K

2014 = $26.4K

Incentive payments for EPs


Incentive payments for eps92 l.jpg
Incentive payments for EPs Disclosures Criminal Penalties

  • If the Medicaid EP begins in:

    • 2011 = $63,750

    • 2012 = $63,750

    • 2013 = $63,750

    • 2014 = $63,750

    • 2015 = $63,750

    • 2016 = $63,750


Incentive payments for hospitals l.jpg
Incentive payments for Hospitals Disclosures Criminal Penalties

  • No payments after 2016.

  • Based on a formula:

    • ($2Mil. Base + per discharge amount)(or if > 23,000 discharges = $6,370,200) x (Medicare/Medicaid share fraction)

    • There is no maximum incentive amount


Incentive payments for cahs l.jpg
Incentive payments for CAHs Disclosures Criminal Penalties

  • The product of the reasonable costs incurred for the purchase of certified EHR technology and the CAH’s Medicare share percentage.


Milestone timeline l.jpg
Milestone Timeline Disclosures Criminal Penalties


Medicare medicaid economic incentives l.jpg
Medicare/Medicaid Economic Incentives Disclosures Criminal Penalties

  • Questions?


Additional legal issues to consider with hit implementation l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Implementation of HIT requires increased focus on privacy and security.

  • Why we reviewed the “latest and greatest” progress (or lack thereof) in the HITECH privacy and security rules.

  • Success with HIT implementation occurs only with successful privacy and security protections.


Additional legal issues to consider with hit implementation98 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Review your policies/procedures for what is included in your “Legal Medical Record” to assure that the EHR product provides for legally required content:

    • Conditions of Participation

    • Licensing Regulations

    • Legally Required Reporting (ex: compliance with quality initiatives)

    • Documentation to support:

      • Continuing care

      • Billing and coding

      • Legal defense

      • Audit defense

    • The Joint Commission requirements


Additional legal issues to consider with hit implementation99 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Require ongoing representations & warranties in agreements concerning the legal compliance obligations.


Additional legal issues to consider with hit implementation100 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Take care to accurately document:

    • Watch out for software prompts that may cause the provider to document a service that was not done.

    • Watch “block and copy”

    • These documentation issues:

      • Create issues with patient safety in reliance on records for the provision of continuing care

      • Create issues with medical necessity

      • May create issues of allegations of fraud and abuse:

        • “[Reviewers] shall determine if patterns and/or trends exist in the medical record which may indicate potential fraud, waste or abuse” where “medical records tend to have obvious or nearly identical documentation . . .” CMS Pub. 100-8, Medicare Integrity Manual, Section 4.3(C).


Additional legal issues to consider with hit implementation101 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Be aware or record retention and destruction:

    • Review your policies/procedures to determine if they address both paper and EHRs.

  • Be aware of E-Discovery Issues:

    • Duty to preserve electronic evidence when you become aware of the threat of litigation

      • Know where your electronically stored information resides:

        • Servers

        • Database files

        • Word processing files

        • PCs, Laptops, Desktops

        • PDAs

        • Imaging systems

        • Other media: thumb drives, CDs, etc.


Additional legal issues to consider with hit implementation102 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • E-Discovery Continued:

    • Understand that the stakes are high:

      • Exclusion of evidence that may be helpful to your case.

      • Major monetary sanctions

    • Review policies/procedures for retention / destruction in the litigation and governmental investigation context.

    • Review administrative policies/procedures and legal compliance policies/procedures.


Additional legal issues to consider with hit implementation103 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Be aware of Metadata, particularly as it pertains to how, when and by whom an entry was collected, created, accessed, or modified and how it is formatted, including data demographics as to size, location, storage requirements and media information.

    • Understand that metadata provides a vast amount of information about documentation which was not previously available.

    • Be prepared to address issues raised with metadata particularly in malpractice cases.


Additional legal issues to consider with hit implementation104 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Be aware of liability caused by the application of technology.

  • E-Iatrogenesis*: patient harm caused, at least in part, by the application of health information technology.

    • *Weiner, J.P., et al, The Most Critical Unintended Consequence of COPE and other HIT, J. Am. Med. Inform Ass’n, June 2007, at 14:387-388.

  • See the AHRQ website for a summary of patient safety issues with CPOE at http://psnet.ahrq.gov/primer.aspx?primerID=6


Additional legal issues to consider with hit implementation105 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • e-Iatrogenic errors occur with CPOE in “four major categories: (1) errors of commission, such as accessing the wrong patient’s record or overwriting one patient’s information with another’s; (2) errors of omission or transmission, such as the loss or corruption of vital patient data; (3) errors in data analysis, including medication dosing errors of several orders of magnitude; and (4) incompatibility between multi-vendor software applications and systems, which can lead to any of the above.”*

  • *Jeffrey Shuren, Director of FDA’s Center for Devices and Radiological Health, Testimony at the Health Information Technology Policy Committee Adoption/Certification Workgroup, (February 25, 2010).


Additional legal issues to consider with hit implementation106 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Any of these types of errors can result in a negligence action against the hospital and providers.

  • Upshot:

    • Discuss whether the vendor has addressed these issues in the development of their product.

    • Focus on education and training.

    • Discuss with your general and professional malpractice carrier.


Additional legal issues to consider with hit implementation107 l.jpg
Additional Legal Issues to Consider with HIT Implementation Disclosures Criminal Penalties

  • Reference The Joint Commission Sentinel Event Alert: December 11, 2008: Safely implementing health information and converging technologies

  • http://www.jointcommission.org/assets/1/18/SEA_42.PDF


Practical tips for ehr system contracting mark l bender l.jpg
PRACTICAL TIPS FOR EHR SYSTEM CONTRACTING Disclosures Criminal PenaltiesMark L. Bender


Steps in the process l.jpg

Gap Analysis-Understand existing capabilities and new capabilities needed

Requirements Specifications

Request for Proposal

Vendor Selection

Negotiate Financial Terms

Negotiate Contract

Sign Contract

Implementation

Go Live

Steps in the Process


Contracting fundamentals l.jpg
Contracting Fundamentals capabilities needed

  • A Contract is not a substitute for choosing the right system and the right vendor

  • If it’s not in the contract, you won’t get it

  • If it’s not in writing, it’s not in the contract


You need a lawyer l.jpg
You need a lawyer capabilities needed

  • IT personnel, accountants, and consultants are NOT lawyers

  • Get your lawyer involved early (not the day before the contract must be signed)

  • Controlling legal costs:

    • don’t use your lawyer for tasks that can be performed just as well by an employee

    • Get regular updates on project status and fees


Relationship of new system to existing system l.jpg
Relationship of new system to existing system capabilities needed

  • Are you adding an EHR module to an existing system of the same vendor?

    • Interoperability issues

    • interface issues

    • who’s responsible for what

  • Are you replacing an existing vendor?

    • What are your contractual rights and obligations related to your existing system?

    • conversion/transition rights

    • termination rights


  • The system is only as good as the training l.jpg
    The System is only as good as the Training... capabilities needed

    • Get the details of the vendor’s training program:

      • curriculum and course materials

      • modalities (classroom-based versus Web-based)

      • Where and when available

      • Number of trainees per class

      • Testing to measure effectiveness

      • Right to re-take a course if passing grade not attained

      • Availability of refresher courses


    Should i buy or should i rent l.jpg
    Should I buy or should I rent? capabilities needed

    • Traditional licensing model

    • Application Service Provider (ASP) model

    • Software as a Service (SaaS) model


    The system is only as good as the implementation l.jpg
    The System is only as good as the implementation capabilities needed

    Have a plan:

    • Implementing a system without an implementation plan is like heading into the Outback without a map, GPS, and compass.

    • An implementation plan without milestones is like a battle plan without objectives

    • Milestones without penalties are guns without bullets


    Deal structural models l.jpg
    Deal Structural Models capabilities needed

    • Traditional software license

    • ASP/SaaS

      • cost predictability

      • less upfront investment, but may be more expensive over time

      • security concerns

      • data backups and access


    Contract structure l.jpg
    Contract Structure capabilities needed

    One or more agreements covering:

    • Hardware purchase (if any)

    • Software license

    • Hardware maintenance and support (if applicable)

    • Software maintenance and support

    • Hosting (if applicable)

    • Implementation services (if applicable)


    Software license terms l.jpg
    Software License Terms capabilities needed

    • Authorized Entities – what entities in a corporate group are covered by the license?

      • are new additions to corporate group covered?

  • Authorized Users - who; how many; impact on license fees

  • Assignability

  • Other use restrictions


  • Software maintenance and support l.jpg
    Software Maintenance and Support capabilities needed

    • Maintenance – what updates are free, what updates are billable

    • Support – how delivered, response times; bug handling

    • Service level commitments and credits


    Hosting if applicable l.jpg
    Hosting (if applicable) capabilities needed

    • uptime

    • security

    • backups

    • data ownership

    • service level commitments and credits


    Other contract topics provisions l.jpg
    Other Contract Topics/Provisions capabilities needed

    • Implementation services (e.g. requirements specification; customization; data conversion):

    • need plan; assign responsibilities; need timeline and milestones; tie payments to milestone achievement; agree upon testing and acceptance)


    Other contract topics provisions continued l.jpg
    Other Contract capabilities neededTopics/Provisionscontinued

    Warranties:

    • HITECH certification warranty - Office of the National Coordinator for Health Information Technology (ONC) sets the rules; the rules are applied by an Authorized Testing and Certification Body (ATCB) to certify EHR systems and modules; Certification Commission for Health Information Technology (CCHIT) is an ATCB

    • “Meaningful use” functionality warranty

    • HIPAA compliance warranty

    • Be sure the foregoing warranties include the obligation to stay current; no lapses permitted

    • non-infringement warranty


    Slide123 l.jpg

    • Dispute resolution: capabilities needed

    • arbitration versus litigation

    • governing law

    • place of adjudication

    • Assignability

    • Liability Limitations

    • Disaster Recovery

    • Force Majeure


    Questions l.jpg
    QUESTIONS??? capabilities needed


    ad