hitech act
DESCRIPTION
TRANSCRIPT
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”)
Nationwide health information technology (“HIT”) infrastructure that supports electronic health records and health information exchanges
M. Peter Adler, Pepper Hamilton LLP
Three Parts of the HITECH Act
1. Create standards, implementation specifications and certification criteria for HIT Infrastructure interoperability;
2. Implement the HIT Infrastructure and electronic health records (“EHRs”) through grants, loan funds, incentive programs, and information sharing; and
3. encourage the use of the HIT Infrastructure by improving information privacy and security.
Standards, Implementation Specifications and Certification Criteria
Promoting HIT Infrastructure interoperability
Key Players: ONCHIT HHS
Codifies Office of the National Coordinator for Health Information Technology (“ONCHIT” or the “National Coordinator”) utilization of certified EHRs for every person in
the United States by 2014 Create a framework for exchanging ideas and
obtaining participation from the public and individuals who are experts in the field of HIT.
National Institute of Standards and Technology (“NIST”) and other Federal agencies for technical guidance
Key Players: HIT Policy Committee and HIT Standards Committee
HIT Policy Committee: Recommends to ONCHIT a policy framework for
the development, adoption, and use of a nationwide HIT infrastructure
HIT Standards Committee Will oversee the development and pilot testing of
standards, implementation specifications, and certification criteria for the HIT infrastructure and make recommendations on them to the National Coordinator.
American Health Information Community (AHIC) National eHealth Collaborative (NeHC) Policy/Standards Committees
Standards Setting Secretary proposes,
within 90 days of receiving recommendations, whether or not to propose adoption of the measures
APA Rulemaking Procedures Apply
Law requires adoption of an initial set of standards and implementation specifications and certification criteria no later than December 31, 2009
Secretary HHS
ONCHIT
Policy Committee
Standards Committee
Public/Experts
Public/Technical Advisors
NIST/Fed Agencies
(Congress)House Committee
Oversight
TestingNIST,
Others Certified
Endorsed Standards
90 Days
Propose Adoption of
MeasuresFederal Register Notice
(Interim Regulation)Comments
HIT Infrastructure and Electronic Health Records (“EHRs”) Implementation
Grants, Loan Funds, Incentive Programs, and Information Sharing
Incentives, Grants Loans and Information Sharing
Secretary HHS
ONCHIT
National HIT Research
Center
Regional HIT Extension
Center
Regional HIT Extension
Center
Regional HIT Extension
Center
HIT Users HIT Users HIT Users
(Congress)House Committee
Oversight
Government Contracts
Loan FundState/Eligible
EntityGrantsMedicare
Medicare Incentives Medicare incentive payments to physicians and hospitals
that are “meaningful EHR users, e.g., a physician (as defined under Medicare) that is not hospital-based, or a hospital that 1. demonstrates the use of certified EHR technology in a
meaningful manner, such as electronic prescribing; 2. demonstrates that use of EHR technology is connected in a
manner that provides for the electronic exchange of health information to improve the quality of care; and
3. submits information on clinic quality measures to HHS using the EHR technology.
Payments to Physicians can be up to $48,000. Those that drag their feet (adopting in year 2015 or later) will end up with zero reimbursement, and may actually lose money, in the form of penalties from the Centers for Medicare and Medicaid Services (CMS).
Grants to States or Qualified State-Designated Entity (QSDE)
QSDE is designated by the state is eligible to receive awards
under this Act; that is, a not-for-profit entity with broad stakeholder representation on its governing board;
demonstrates that one of its principal goals is to use information technology to improve healthcare quality and efficiency through authorized and secure electronic exchange and use of health information;
adopts nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory participation by stakeholders; and
conforms to any other requirements established by the Secretary.
Grant Activities Enhancing broad and
varied participation in the authorized and secure nationwide electronic use and exchange of health information;
Identifying state or local resources available towards the nationwide effort to promote HIT;
Providing technical assistance to overcome barriers to the exchange of electronic health information;
Supporting public health agencies
Promoting effective strategies to adopt HIT in medically underserved communities;
Encouraging clinicians to work with Regional Centers;
Promoting EHRs for quality improvement;
Complementing other Federal grants, programs and efforts towards the promotion of HIT; Assisting patients in using HIT;
Other activities specified by the Secretary
Matching: 2010 (0%), 2011 (10%), 2012 (14%), 2013 (33%)
Loan Fund “Eligible entity" is a state or Indian tribe
that submits an application, a strategic plan a list of the projects to be assisted through the
Loan Fund; a description of the criteria and methods
established for the distribution of funds from the Loan Fund;
a description of the financial status of the Loan Fund as of the date of the submission of the plan; and
the short-term and long-term goals of the Loan Fund.
Loan Fund Loans may be used by a healthcare provider to facilitate the purchase of certified EHR technology; enhance the utilization of certified EHR technology
(which may include costs associated with upgrading health information technology so that it meets criteria necessary to be a certified EHR technology);
train personnel in the use of such technology; or improve the secure electronic exchange of health information.
Matching: 20% of the amount from non-Federal contributions.
Federal Agencies - Contractors Required to adopt and use standards as they
implement, acquire or upgrade President is to ensure federal activities involving the
collection and submission of health information are consistent with such standards within three years of their adoption
Application and use of adopted standards will be voluntary for private entities, but a private healthcare provider, health plan, or health insurance issuer that contracts with the Federal government to use HIT systems are required to meet the standards adopted by the Secretary
Extension Centers The Health Information
Technology Research Center (“National Center”) will assist in the development and recognition of best practices to support and accelerate efforts to adopt, implement, and use HIT
Health Information Technology Regional Extension Centers ("Regional Centers") will assist the National Center to disseminate information and provide healthcare providers with assistance with the implementation and use of HIT, including EHR
ONCHIT
National HIT Research Center
Regional HIT Extension
Center
Regional HIT Extension
Center
Regional HIT Extension
Center
HIT Users HIT Users HIT Users
Encouraging the Use of the HIT Infrastructure
Improving Information Privacy and Security
Improving Privacy and Security Clarification and expansion of the definition
of a “business associate”; Increased business associate legal
obligations; Notification for breaches involving
protected health information (PHI); Special provisions for vendors of personal
health records and other non-HIPAA covered entities; and
Enhancement of enforcement, funding for enforcement and increased penalties.
Clarification and Expansion of “Business Associate Definition
Definition of “business associate” includes: entities that provide data transmission services
to a covered entity (or its business associate) if the service involves access to PHI on a routine basis, including: a health information exchange organization, a regional health information organization, an E-prescribing Gateway, or any vendor that contracts with the covered
entity to allow the covered entity to offer a personal health record (PHR) to patients.
Increased Business Associate Legal Obligations A business associates must comply with the same
administrative, technical, and physical safeguards that a covered entity is required to comply with under the security rule.
Must also comply with the document requirements of the security rule (policies, procedures and other documents)
Business associates that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity
Each security and privacy requirement in the HITECH Act that is applicable to a covered entity is also applicable to a business associate and should be included in a business associate contract
Notification for Breaches of Protected Health Information (PHI)
Applies to business associates and covered entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI.
A “breach of security” is an acquisition, access, use, or disclosure of unsecured PHI
Content and timing Public/Private notification
EHR/PHR An “EHR” is an electronic record of health-related
information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff.
A “PHR” means an electronic record of “PHR identifiable health information” that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. PHR identifiable health information means
individually identifiable health information: that is provided by or on behalf of the individual; and that identifies the individual or with respect to which
there is a reasonable basis to believe that the information can be used to identify the individual.
Notice of Breach Involving PHR-Related Entities and Other Non-HIPAA Covered Entities
Additional notice of breach provisions apply to “PHR-related entities” which are: (i) vendors of PHRs; (ii) entities that offer products or services through the
website of a vendor of PHRs; (iii) entities that are not covered entities and that
offer products or services through the website of covered entities that offer individual's personal health records; and
(iv) entities that are not covered entities that access information in PHRs or send information to a PHR.
A “breach of security” is an acquisition of unsecured PHR identifiable health information of an individual in a PHR without the authorization of the individual.
Enhancement of Enforcement
Wrongful disclosure of individually identifiable information only if: …a person (including an employee or
other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization.
Willful Neglect
The HITECH Act includes civil investigation and action for noncompliance due to “willful neglect” A formal investigation will be
commenced whenever a preliminary investigation of the facts identify that a possible violation is due to willful neglect
Penalty Tiers
Without Knowledge. When it is established a person did not know (and by exercising reasonable diligence would not have known)
Reasonable Cause. When it is established that the violation was due to a reasonable cause and not to willful neglect
Willful Neglect. When it is established that the violation was due to willful neglect
1. $100 for each violation, except that the total amount imposed on a person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
2. $1,000 for each violation, … may not exceed $100,000.
3. $10,000 for each such violation…may not exceed $250,000.
4. $50,000 for each such violation …may not exceed $1.5 million.
Enforcement Funding Any civil monetary penalty or monetary settlement
collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. This money will be used for enforcing and privacy
and security provisions of HIPAA. The HITECH Act calls for a study by the GAO to
determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.
Enforcement By State AG Reason to believe that an interest of one or more of
the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. Damages will be statutorily imposed.
The amount is calculated by multiplying the number of violations by up to $100.
The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not exceed $25,000.
The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees.
Other Provisions Restrictions on certain disclosures. Individuals will have the
right to prohibit the disclosure of PHI to a health plan for items or services that the individual paid for in full out-of-pocket.
Minimum Necessary Rule. New regulations will be released clarifying the “minimum necessary” PHI that may be disclosed in limited data sets and for other purposes.
Restrictions on sales of EHRs or PHI. Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.
Accounting of certain PHI disclosures required if covered entity uses an EHR. Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR.
Access to Certain Information In Electronic Format. An individual has a right to obtain from the covered entity a copy of his or her information in an electronic format.
Conditions on certain communications as part of healthcare operations. Limits the healthcare operations exception for communications when the covered entity receives remuneration for the communication except in limited circumstances.
Thank you!
M. Peter AdlerAttorney at Law
202.220.1278Mobile 202.251.7600Direct Fax [email protected]
Hamilton Square600 Fourteenth Street, N.W.Washington DC 20005-2004202.220.1200Fax 202.220.1665www.pepperlaw.com