The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”)

Nationwide health information technology (“HIT”) infrastructure that supports electronic health records and health information exchanges

M. Peter Adler, Pepper Hamilton LLP

Three Parts of the HITECH Act

1. Create standards, implementation specifications and certification criteria for HIT Infrastructure interoperability;

2. Implement the HIT Infrastructure and electronic health records (“EHRs”) through grants, loan funds, incentive programs, and information sharing; and

3. encourage the use of the HIT Infrastructure by improving information privacy and security.

Standards, Implementation Specifications and Certification Criteria

Promoting HIT Infrastructure interoperability

Key Players: ONCHIT HHS

Codifies Office of the National Coordinator for Health Information Technology (“ONCHIT” or the “National Coordinator”) utilization of certified EHRs for every person in

the United States by 2014 Create a framework for exchanging ideas and

obtaining participation from the public and individuals who are experts in the field of HIT.

National Institute of Standards and Technology (“NIST”) and other Federal agencies for technical guidance

Key Players: HIT Policy Committee and HIT Standards Committee

HIT Policy Committee: Recommends to ONCHIT a policy framework for

the development, adoption, and use of a nationwide HIT infrastructure

HIT Standards Committee Will oversee the development and pilot testing of

standards, implementation specifications, and certification criteria for the HIT infrastructure and make recommendations on them to the National Coordinator.

American Health Information Community (AHIC) National eHealth Collaborative (NeHC) Policy/Standards Committees

Standards Setting Secretary proposes,

within 90 days of receiving recommendations, whether or not to propose adoption of the measures

APA Rulemaking Procedures Apply

Law requires adoption of an initial set of standards and implementation specifications and certification criteria no later than December 31, 2009

Secretary HHS

ONCHIT

Policy Committee

Standards Committee

Public/Experts

Public/Technical Advisors

NIST/Fed Agencies

(Congress)House Committee

Oversight

TestingNIST,

Others Certified

Endorsed Standards

90 Days

Propose Adoption of

MeasuresFederal Register Notice

(Interim Regulation)Comments

HIT Infrastructure and Electronic Health Records (“EHRs”) Implementation

Grants, Loan Funds, Incentive Programs, and Information Sharing

Incentives, Grants Loans and Information Sharing

Secretary HHS

ONCHIT

National HIT Research

Center

Regional HIT Extension

Center

Regional HIT Extension

Center

Regional HIT Extension

Center

HIT Users HIT Users HIT Users

(Congress)House Committee

Oversight

Government Contracts

Loan FundState/Eligible

EntityGrantsMedicare

Medicare Incentives Medicare incentive payments to physicians and hospitals

that are “meaningful EHR users, e.g., a physician (as defined under Medicare) that is not hospital-based, or a hospital that 1. demonstrates the use of certified EHR technology in a

meaningful manner, such as electronic prescribing; 2. demonstrates that use of EHR technology is connected in a

manner that provides for the electronic exchange of health information to improve the quality of care; and

3. submits information on clinic quality measures to HHS using the EHR technology.

Payments to Physicians can be up to $48,000.  Those that drag their feet (adopting in year 2015 or later) will end up with zero reimbursement, and may actually lose money, in the form of penalties from the Centers for Medicare and Medicaid Services (CMS).

Grants to States or Qualified State-Designated Entity (QSDE)

QSDE is designated by the state is eligible to receive awards

under this Act; that is, a not-for-profit entity with broad stakeholder representation on its governing board;

demonstrates that one of its principal goals is to use information technology to improve healthcare quality and efficiency through authorized and secure electronic exchange and use of health information;

adopts nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory participation by stakeholders; and

conforms to any other requirements established by the Secretary.

Grant Activities Enhancing broad and

varied participation in the authorized and secure nationwide electronic use and exchange of health information;

Identifying state or local resources available towards the nationwide effort to promote HIT;

Providing technical assistance to overcome barriers to the exchange of electronic health information;

Supporting public health agencies

Promoting effective strategies to adopt HIT in medically underserved communities;

Encouraging clinicians to work with Regional Centers;

Promoting EHRs for quality improvement;

Complementing other Federal grants, programs and efforts towards the promotion of HIT; Assisting patients in using HIT;

Other activities specified by the Secretary

Matching: 2010 (0%), 2011 (10%), 2012 (14%), 2013 (33%)

Loan Fund “Eligible entity" is a state or Indian tribe

that submits an application, a strategic plan a list of the projects to be assisted through the

Loan Fund; a description of the criteria and methods

established for the distribution of funds from the Loan Fund;

a description of the financial status of the Loan Fund as of the date of the submission of the plan; and

the short-term and long-term goals of the Loan Fund.

Loan Fund Loans may be used by a healthcare provider to facilitate the purchase of certified EHR technology; enhance the utilization of certified EHR technology

(which may include costs associated with upgrading health information technology so that it meets criteria necessary to be a certified EHR technology);

train personnel in the use of such technology; or improve the secure electronic exchange of health information.

Matching: 20% of the amount from non-Federal contributions.

Federal Agencies - Contractors Required to adopt and use standards as they

implement, acquire or upgrade President is to ensure federal activities involving the

collection and submission of health information are consistent with such standards within three years of their adoption

Application and use of adopted standards will be voluntary for private entities, but a private healthcare provider, health plan, or health insurance issuer that contracts with the Federal government to use HIT systems are required to meet the standards adopted by the Secretary

Extension Centers The Health Information

Technology Research Center (“National Center”) will assist in the development and recognition of best practices to support and accelerate efforts to adopt, implement, and use HIT

Health Information Technology Regional Extension Centers ("Regional Centers") will assist the National Center to disseminate information and provide healthcare providers with assistance with the implementation and use of HIT, including EHR

ONCHIT

National HIT Research Center

Regional HIT Extension

Center

Regional HIT Extension

Center

Regional HIT Extension

Center

HIT Users HIT Users HIT Users

Encouraging the Use of the HIT Infrastructure

Improving Information Privacy and Security

Improving Privacy and Security Clarification and expansion of the definition

of a “business associate”; Increased business associate legal

obligations; Notification for breaches involving

protected health information (PHI); Special provisions for vendors of personal

health records and other non-HIPAA covered entities; and

Enhancement of enforcement, funding for enforcement and increased penalties.

Clarification and Expansion of “Business Associate Definition

Definition of “business associate” includes: entities that provide data transmission services

to a covered entity (or its business associate) if the service involves access to PHI on a routine basis, including: a health information exchange organization, a regional health information organization, an E-prescribing Gateway, or any vendor that contracts with the covered

entity to allow the covered entity to offer a personal health record (PHR) to patients.

Increased Business Associate Legal Obligations A business associates must comply with the same

administrative, technical, and physical safeguards that a covered entity is required to comply with under the security rule.

Must also comply with the document requirements of the security rule (policies, procedures and other documents)

Business associates that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity

Each security and privacy requirement in the HITECH Act that is applicable to a covered entity is also applicable to a business associate and should be included in a business associate contract

Notification for Breaches of Protected Health Information (PHI)

Applies to business associates and covered entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI.

A “breach of security” is an acquisition, access, use, or disclosure of unsecured PHI

Content and timing Public/Private notification

EHR/PHR An “EHR” is an electronic record of health-related

information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff.

A “PHR” means an electronic record of “PHR identifiable health information” that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. PHR identifiable health information means

individually identifiable health information: that is provided by or on behalf of the individual; and that identifies the individual or with respect to which

there is a reasonable basis to believe that the information can be used to identify the individual.

Notice of Breach Involving PHR-Related Entities and Other Non-HIPAA Covered Entities

Additional notice of breach provisions apply to “PHR-related entities” which are: (i) vendors of PHRs; (ii) entities that offer products or services through the

website of a vendor of PHRs; (iii) entities that are not covered entities and that

offer products or services through the website of covered entities that offer individual's personal health records; and

(iv) entities that are not covered entities that access information in PHRs or send information to a PHR.

A “breach of security” is an acquisition of unsecured PHR identifiable health information of an individual in a PHR without the authorization of the individual.

Enhancement of Enforcement

Wrongful disclosure of individually identifiable information only if: …a person (including an employee or

other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization.

Willful Neglect

The HITECH Act includes civil investigation and action for noncompliance due to “willful neglect” A formal investigation will be

commenced whenever a preliminary investigation of the facts identify that a possible violation is due to willful neglect

Penalty Tiers

Without Knowledge. When it is established a person did not know (and by exercising reasonable diligence would not have known)

Reasonable Cause. When it is established that the violation was due to a reasonable cause and not to willful neglect

Willful Neglect. When it is established that the violation was due to willful neglect

1. $100 for each violation, except that the total amount imposed on a person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

2. $1,000 for each violation, … may not exceed $100,000.

3. $10,000 for each such violation…may not exceed $250,000.

4. $50,000 for each such violation …may not exceed $1.5 million.

Enforcement Funding Any civil monetary penalty or monetary settlement

collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. This money will be used for enforcing and privacy

and security provisions of HIPAA. The HITECH Act calls for a study by the GAO to

determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.

Enforcement By State AG Reason to believe that an interest of one or more of

the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. Damages will be statutorily imposed.

The amount is calculated by multiplying the number of violations by up to $100.

The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not exceed $25,000.

The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees.

Other Provisions Restrictions on certain disclosures. Individuals will have the

right to prohibit the disclosure of PHI to a health plan for items or services that the individual paid for in full out-of-pocket.

Minimum Necessary Rule. New regulations will be released clarifying the “minimum necessary” PHI that may be disclosed in limited data sets and for other purposes.

Restrictions on sales of EHRs or PHI. Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.

Accounting of certain PHI disclosures required if covered entity uses an EHR. Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR.

Access to Certain Information In Electronic Format. An individual has a right to obtain from the covered entity a copy of his or her information in an electronic format.

Conditions on certain communications as part of healthcare operations. Limits the healthcare operations exception for communications when the covered entity receives remuneration for the communication except in limited circumstances.

Thank you!

M. Peter AdlerAttorney at Law

202.220.1278Mobile 202.251.7600Direct Fax 800.684.2749adlerp@pepperlaw.com

Hamilton Square600 Fourteenth Street, N.W.Washington DC 20005-2004202.220.1200Fax 202.220.1665www.pepperlaw.com