1 / 40

HITECH Health Reform: Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act

HITECH Health Reform: Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com. Presentation Outline. Part I – Overview of the HITECH Act Part II – HIPAA 2.0

dannon
Download Presentation

HITECH Health Reform: Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HITECH Health Reform:Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act David G. Schoolcraft Ogden Murphy Wallace, PLLCdschoolcraft@omwlaw.com

  2. Presentation Outline • Part I – Overview of the HITECH Act • Part II – HIPAA 2.0 • Breach Notification Rule - Effective September 23, 2009 • Business Associate Agreements • Penalties & Enforcement • Timeline and Additional Privacy Requirements • Part III – Health IT Funding • Billions in federal stimulus funding • Complex payment methodologies for healthcare providers • Open issues regarding “meaningful use” and “certified electronic health record technology”

  3. Part I - HITECH Act Overview *Health Information Technology for Economic and Clinical Health Act

  4. The Policy Picture Peter Orszag, Director OMB “The US must move towards a higher-quality, lower-cost system in which best practices are universal…The administration has therefore put forward initiatives such as health IT…”

  5. Part IIHIPAA 2.0 New Compliance Obligations and More Regulations to Come

  6. HIPAA Breach Notification Rule “A covered entity shall, following discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach.” - 45 CFR §164.404(a)(1)

  7. A. Is There a Breach?

  8. Significant Risk of Harm • Harm Threshold • Incident must impose a “significant risk of financial, reputational or other harm to the individual.” • Fact Specific Analysis • What is the nature of the information? • To whom was the information disclosed? • Mitigation efforts matter

  9. B. Was PHI “unsecured”? • Was data “unusable, unreadable, or indecipherable to unauthorized individuals”? • Safe Harbor Standards: • National Institute of Standards and Technology (NIST) publications: • 800-111 (Encryption) • 800-52 (Transport Layer Security) • 800-77 and 800-113(VPNs) • 800-88 (Guidelines for Media Sanitation) • NIST publications available at www.csrc.nist.gov

  10. Laptop is stolen Stolen laptop becomes known to CE Notification Deadline Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd Timeliness of Notice • 60 day shot-clock from date of discovery • Without “unreasonable delay” 60 days Oct. 1 Failure to provide notification within 60 days may lead to violation

  11. Laptop is stolen from BA Stolen laptop becomes known to BA BA notifies CE Notification Deadline (if BA is independent contractor) Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd Dec. 30th Timeliness of Notice • What if a business associate is involved? 60 days Oct. 1 60 days Failure to provide notification within 60 days may lead to violation Notification Deadline (if BA is agent)

  12. Content of Notice to Individuals • Brief description of what happened • Date of breach • Date of discovery of breach • Description of the types of PHI disclosed • Steps individual should take to protect him/herself • Description of what covered entity is doing to: • Investigate breach • Mitigate harm to individuals - i.e. provide fraud insurance, suggest that individual contact credit bureau or credit care company • Protect from further breaches • Contact procedures--Toll free number, website or postal address

  13. Additional Notice Recipients • Media Notice - Required if Over 500 Individuals • Supplemental to written notice; must still provide individual notice • Prominent media outlets serving a state or jurisdiction • Contains the same content as written notice • Notice to HHS • Over 500 individuals - notice required within 60 days • Less than 500 then CE maintains a log and reports all breaches within 60 days after calendar year using HHS form

  14. HIPAA Breach Notification Rule Administrative Requirements • Implementation of Policies & Procedures • Train workforce members • Risk assessment regarding “unsecured” data • Maintenance of breach log for reporting to HHS • Effective September 23, 2009 but HHS to exercise enforcement discretion to February 22, 2010

  15. Business Associates • Application of certain HIPAA Security Standards • Administrative Safeguards • Physician Safeguards • Technical Safeguards • Documentation Requirements • Application of certain HIPAA Privacy Standards • 45 CFR Section 164.504(e) and new HITECH provisions • Subject to same civil and criminal penalties as covered entities

  16. Business Associate Agreements • Must Business Associate Agreements be modified? • Ambiguous terms in HITECH Act: • “The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” - Sec. 13401; parallel provision at Sec. 13404 for privacy standards • HHS: Guidance to be issued this Fall

  17. Business Associate Agreements:Next Steps • Update forms and new agreements to include HITECH Act requirements for business associates under Section 13401(a) and 13404(a) of the Act • Revise notification requirements in light of new breach notification rules • Consider indemnity provisions related to costs of breach notification caused by business associate. • Monitor HHS guidance and implement any additional changes for new (and potentially existing) business associate arrangements

  18. Penalties and Enforcement • Expansion of criminal and civil penalties • Tiered penalties depending on the nature of the violation • Periodic audits by HHS • State Attorney General may bring civil actions provided no federal action pending • Victims may receive percentage of civil penalties (starting in 2012)

  19. HIPAA 2.0 Timeline

  20. Part III Health IT Funding

  21. Scope of Health IT Funding In billions of dollars *Estimated, includes incentive payments

  22. Appropriated Funds Additional funds available for Workforce Training Grants and New Technology Research & Development Grants Contact: Washington State Health Care Authority

  23. Incentive Funds Incentive payments decrease starting in 2013 Penalties (lower reimbursements) starting in 2015

  24. Medicare Incentive Payments forPhysicians

  25. Medicare Incentive Payments forPhysicians • Hospitals may be able to collect incentive payments for certain employed physicians, but note that “hospital-based” physicians are excluded

  26. Scope of Incentive Funds – Example Estimates based on certain factual assumptions. Subject to revision under final HHS regulations. • Washington Grace Hospital = 80 beds • 4 Employed Physicians – Medicare ($44,000)

  27. “Meaningful Use” • Demonstrate to the “satisfaction of the Secretary” use of certified EHR in a meaningful manner • Certified EHR technology must be connected to provide for the electronic exchange of health information to improve the quality of care • Hospitals to submit information on clinical quality and other measures as selected by the Secretary

  28. “Meaningful Use”- Policy Process

  29. “Meaningful Use” – Timeline 2009 2011 2013 2015 Phased HIT-Enabled Health Reform HITECH Policies HHS to define terms and issue regulations Capture/Share Data Incentive Payments Advanced care processes with decision support Improved Outcomes Penalties

  30. “Certified EHR Technology” • Proposed Definition of HHS Certification • HHS Certification means that a system is able to achieve the minimum government requirements for security, privacy, and interoperability, and that the system is able to produce the Meaningful Use results that the government expects. • HHS Certification is not intended to be viewed as a “seal of approval” or an indication of the benefits of one system over another. • December 31, 2009 deadline for initial standards, implementation specs and certification criteria

  31. Technology Transaction Review • Careful review of information technology transactions – from due diligence during system selection through contracting • Ensure that all information technology transactions are HITECH ready • Vendor/service provider commitment regarding data security and accounting of disclosure requirements • Updated Business Associate Agreement • Functionality necessary to obtain or maintain “certified EHR“ status and to facilitate “meaningful use”

  32. Additional Resources • HHS and the Office of the National Coordinator for Health Information Technology (ONCHIT) for development of standards for “certified EHRs” and “meaningful use” http://healthit.hhs.gov/ • Washington State Health Care Authority regarding grants and other “appropriated funds” http://www.hca.wa.gov/arra.html

  33. Questions? David G. Schoolcraft dschoolcraft@omwlaw.com 206.447.7211 Health Law Blog: www.omwhealthlaw.com

  34. APPENDIX

  35. Breach Definition Statutory Exceptions • HITECH Act contains additional statutory exceptions to definition of “breach”. • Unintentional use or disclosure to workforce member if use or disclosure was made in good faith and did not result in further use or disclosure • Inadvertent disclosure from an individual authorized to access the records to another similarly situated individual • Unauthorized person could not have reasonably retained the information. • Limited data set excluding Date of Birth and Zip Codes

  36. Increased Civil Penalties HHS shall base the penalty determination on the nature & extent of the violation and the nature & extent of the resulting harm. Effective for all violations after Feb. 17, 2009

  37. Medicare Funds - Formulas & Key Factors • Hospitals ($2 MM + $200 (Discharges 1,150th - 23,000th)) * Medicare Share (%)* Transition Factor • Total Discharges • Medicare Inpatient Days • Charity Care • Critical Access Hospitals 101% * Reasonable Cost of EHR System * (Medicare Share % + 20%) • Costs of EHR System • Medicare Inpatient Days • Charity Care Medicare Share Medicare Share

  38. Medicare Incentive Payments – CAH Example Medicare Share 75% + 20% = 95% (20% increase for CAH) Assumes costs remain the same over all four years Total $1,348,242 *Estimate based upon existing statute in advance of HHS rule making. Washington Grace CAH – 25 beds

  39. Medicaid Incentive Payments forPhysicians • 85% of the “net average allowable costs” • Capped at $25,000 in year 1 • Capped at $10,000 for years 2-6 • Pediatrician incentive reduced by 2/3rds unless Medicaid patient volume is 30%+ • No initial payments after 2016 • No subsequent payments after 2021 Eligible Professional: 85% * $25,000 + 85% * 50,000 = $63,750 Pediatrician (20-29% Medicaid) 85% * $25,000 * (2/3) + 85% * $50,000 * (2/3) = $42,500

  40. Medicaid Incentive Paymentsfor Hospitals • 10% of “Patient Volume” on Medical Assistance • To be defined by Secretary of HHS • Inpatient vs. outpatient volumes • States allocate the money • Year 1 – Demonstrate efforts to adopt, implement or upgrade EHR system • Years 2-6 – Demonstrate “meaningful use”

More Related