HITECH Health Reform: Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act
description
Transcript of HITECH Health Reform: Health IT Funding, HIPAA 2.0, and the Impact of the HITECH Act
HITECH Health Reform:Health IT Funding, HIPAA 2.0,
and the Impact of the HITECH Act
David G. SchoolcraftOgden Murphy Wallace, PLLC
Part I – Overview of the HITECH Act Part II – HIPAA 2.0
◦ Breach Notification Rule - Effective September 23, 2009
◦ Business Associate Agreements◦ Penalties & Enforcement◦ Timeline and Additional Privacy Requirements
Part III – Health IT Funding ◦ Billions in federal stimulus funding ◦ Complex payment methodologies for healthcare
providers◦ Open issues regarding “meaningful use” and “certified
electronic health record technology”
Presentation Outline
2
3
ARRA
HITECH* Act
Funding for
Health IT
HIPAA 2.0
Health IT Bureaucr
acy
Part I - HITECH Act Overview
*Health Information Technology for Economic and Clinical Health Act
The Policy PicturePeter Orszag, Director OMB
“The US must move towards a higher-quality, lower-cost system in which best
practices are universal…The administration has therefore put forward initiatives such as
health IT…”4
Part IIHIPAA 2.0
New Compliance Obligations and
More Regulations to Come
6
“A covered entity shall, following discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach.”
- 45 CFR §164.404(a)(1)
HIPAA Breach Notification Rule
7
Is there a breach?
1. Violation of the Privacy Rule
2. Significant Risk of Harm
A. Is There a Breach?
8
Harm Threshold◦ Incident must impose a “significant risk of
financial, reputational or other harm to the individual.”
Fact Specific Analysis◦ What is the nature of the information?◦ To whom was the information disclosed?◦ Mitigation efforts matter
Significant Risk of Harm
9
Was data “unusable, unreadable, or indecipherable to unauthorized individuals”?
Safe Harbor Standards: ◦ National Institute of Standards and Technology
(NIST) publications: 800-111 (Encryption) 800-52 (Transport Layer Security) 800-77 and 800-113(VPNs) 800-88 (Guidelines for Media Sanitation)
◦ NIST publications available at www.csrc.nist.gov
B. Was PHI “unsecured”?
10
60 day shot-clock from date of discovery Without “unreasonable delay”
Timeliness of Notice
Oct. 1
Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd
Stolen laptop
becomes known
to CE
Laptop is
stolen
Notification Deadline
60 daysFailure to provide
notification within 60 days may lead to
violation
11
What if a business associate is involved?Timeliness of Notice
Oct. 1Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd Dec. 30th
Stolen laptop
becomes known
to BA
Laptop is
stolen from BA
BA notifies
CE
Notification Deadline
(if BA is independe
nt contractor)
Notification Deadline
(if BA is agent)
60 days
60 days
Failure to provide notification within 60
days may lead to violation
12
Brief description of what happened◦ Date of breach◦ Date of discovery of breach
Description of the types of PHI disclosed Steps individual should take to protect him/herself Description of what covered entity is doing to:
◦ Investigate breach◦ Mitigate harm to individuals - i.e. provide fraud insurance,
suggest that individual contact credit bureau or credit care company
◦ Protect from further breaches Contact procedures--Toll free number, website or postal
address
Content of Notice to Individuals
13
Media Notice - Required if Over 500 Individuals◦ Supplemental to written notice; must still provide
individual notice◦ Prominent media outlets serving a state or
jurisdiction◦ Contains the same content as written notice
Notice to HHS◦ Over 500 individuals - notice required within 60
days◦ Less than 500 then CE maintains a log and reports
all breaches within 60 days after calendar year using HHS form
Additional Notice Recipients
14
Implementation of Policies & Procedures Train workforce members Risk assessment regarding “unsecured” data Maintenance of breach log for reporting to HHS Effective September 23, 2009 but HHS to
exercise enforcement discretion to February 22, 2010
HIPAA Breach Notification Rule Administrative Requirements
Application of certain HIPAA Security Standards◦ Administrative Safeguards◦ Physician Safeguards◦ Technical Safeguards◦ Documentation Requirements
Application of certain HIPAA Privacy Standards◦ 45 CFR Section 164.504(e) and new HITECH
provisions Subject to same civil and criminal penalties
as covered entities
Business Associates
15
Must Business Associate Agreements be modified?
Ambiguous terms in HITECH Act:◦ “The additional requirements of this title that relate
to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” - Sec. 13401; parallel provision at Sec. 13404 for privacy standards
HHS: Guidance to be issued this Fall
Business Associate Agreements
16
Update forms and new agreements to include HITECH Act requirements for business associates under Section 13401(a) and 13404(a) of the Act
Revise notification requirements in light of new breach notification rules
Consider indemnity provisions related to costs of breach notification caused by business associate.
Monitor HHS guidance and implement any additional changes for new (and potentially existing) business associate arrangements
Business Associate Agreements:Next Steps
17
18
Expansion of criminal and civil penalties Tiered penalties depending on the nature of
the violation Periodic audits by HHS State Attorney General may bring civil
actions provided no federal action pending Victims may receive percentage of civil
penalties (starting in 2012)
Penalties and Enforcement
HIPAA 2.0 Timeline Feb. 2009 Increased penalties Enforcement by State
Attorney General
Sept. 2009 Data Breach Notification Requirements
Fall 2009 HHS Issues Guidance Regarding Business Associate Agreements
Feb. 2010 New Rules for Business Associates
Revised Marketing and Fundraising Rules
June 2010 HHS to Issue Regulations for Accounting of Disclosures
Jan. 2011 Accounting of Disclosures for adopters of EHR after 1/1/2009
Jan. 2014 Accounting of Disclosures for EHR adopters before 1/1/2009
19
Part III Health IT Funding
2004-2008 2009-2015*$0
$10
$20
$30
$40
$50
$60
$0.68
$50.39
Scope of Health IT FundingIn billions of dollars
*Estimated, includes incentive payments
21
HIE Planning & Development
Planning Grants
State Designated Entity
States
Implementation Grants
EHR Adoption Loan Program
Loan Funds
Indian Tribes
Health Care Providers
Health IT Extension Program
Regional Extension Centers
Nonprofits
Least Advantaged Providers
Health IT Research Center
Appropriated Funds
22
Additional funds available for Workforce
Training Grants and New
Technology Research &
Development Grants
Contact:Washington State Health Care Authority
Medicare Payment Incentives
Incentive Payments through Carriers
Hospitals
Physicians Medicare up to $44,000Medicaid up to $63,750
Medicaid Payment Incentives10%+ of Patients
Incentive Payments through State Agencies
Nurse Practitioners & Midwives
FQHC
Incentive Funds
23
Incentive payments decrease starting in 2013Penalties (lower reimbursements) starting in 2015
Medicare Incentive Payments forPhysicians
Meaningful EHR User
FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 Total
FY 2011 $ 18,000 $ 12,000 $ 8,000 $ 4,000 $ 2,000 $ 44,000 FY 2012 $ 18,000 $ 12,000 $ 8,000 $ 4,000 $ 2,000 $ 44,000 FY 2013 $ 15,000 $ 12,000 $ 8,000 $ 4,000 $ 39,000 FY 2014 $ 12,000 $ 8,000 $ 4,000 $ 24,000
AfterFY 2015
1% 2% 3%
Hospitals may be able to collect incentive payments for certain employed physicians, but note that “hospital-based” physicians are excluded
Medicare Incentive Payments forPhysicians
Excluded Physicians
Pathologists
Anesthesiologists
Emergency Physicians
Washington Grace Hospital = 80 beds◦ 4 Employed Physicians – Medicare ($44,000)
Scope of Incentive Funds – Example
Estimates based on certain factual assumptions. Subject to revision under final HHS regulations.
Demonstrate to the “satisfaction of the Secretary” use of certified EHR in a meaningful manner
Certified EHR technology must be connected to provide for the electronic exchange of health information to improve the quality of care
Hospitals to submit information on clinical quality and other measures as selected by the Secretary
“Meaningful Use”
27
Office of the National
Coordinator
HIT Policy Committee
HIT Standards Committee
Public Comments
• Over 800 received CMS
“Meaningful Use”- Policy Process
28
“Meaningful Use” – Timeline2009 2011 2013 2015
Phased HIT-Enabled Health Reform
HITECH Policies
HHS to define terms and issue
regulations
Capture/Share Data
Incentive Payments
Advanced care processes with
decision support
Improved Outcomes
Penalties
29
Proposed Definition of HHS Certification◦ HHS Certification means that a system is able to achieve
the minimum government requirements for security, privacy, and interoperability, and that the system is able to produce the Meaningful Use results that the government expects.
◦ HHS Certification is not intended to be viewed as a “seal of approval” or an indication of the benefits of one system over another.
December 31, 2009 deadline for initial standards, implementation specs and certification criteria
“Certified EHR Technology”
30
Careful review of information technology transactions – from due diligence during system selection through contracting
Ensure that all information technology transactions are HITECH ready◦ Vendor/service provider commitment regarding
data security and accounting of disclosure requirements
◦ Updated Business Associate Agreement◦ Functionality necessary to obtain or maintain
“certified EHR“ status and to facilitate “meaningful use”
Technology Transaction Review
31
Additional Resources HHS and the Office of the National Coordinator
for Health Information Technology (ONCHIT) for development of standards for “certified EHRs” and “meaningful use”
http://healthit.hhs.gov/ Washington State Health Care Authority
regarding grants and other “appropriated funds”
http://www.hca.wa.gov/arra.html
32
Questions?David G. Schoolcraft
Health Law Blog: www.omwhealthlaw.com
34
APPENDIX
35
HITECH Act contains additional statutory exceptions to definition of “breach”. ◦ Unintentional use or disclosure to workforce member if
use or disclosure was made in good faith and did not result in further use or disclosure
◦ Inadvertent disclosure from an individual authorized to access the records to another similarly situated individual
◦ Unauthorized person could not have reasonably retained the information.
◦ Limited data set excluding Date of Birth and Zip Codes
Breach Definition Statutory Exceptions
Violation when Person “Did Not Know”
$100/violation$25,000 Max
Violation due to Reasonable Cause
$1,000/violation$100,000 Max
Willful Neglect Corrected
$10,000/violation$250,000 Max
Willful NeglectNot Corrected
$50,000/violation$1,500,000 max
Increased Civil Penalties
36
HHS shall base the penalty determination on the nature & extent of the violation and the nature & extent of the resulting harm.
Effective for all violations after Feb. 17, 2009
Hospitals($2 MM + $200 (Discharges 1,150th - 23,000th)) * Medicare Share (%)*
Transition Factor Total Discharges Medicare Inpatient Days Charity Care
Critical Access Hospitals101% * Reasonable Cost of EHR System * (Medicare Share
% + 20%) Costs of EHR System Medicare Inpatient Days Charity Care
Medicare Funds - Formulas & Key Factors
37
Medicare Share
Medicare Share
Washington Grace CAH – 25 beds
Medicare Incentive Payments – CAH Example
Total Discharges 170 Medicare Patients 110Medicare Inpatient Days 260Total Inpatient Days 350Total Hospital Charges $ 8,500,000 Total Charity Care $120,000Annual Cost of EHR System
$350,000
Medicare Share 75% + 20% =
95%(20% increase for
CAH)
Total$1,348,24
2
Estimate of Incentive Payments*2011 2012 2013 2014
$337,060 $337,060 $337,060 $337,060Assumes costs remain the same over all four years
*Estimate based upon existing statute in advance of HHS rule making.
85% of the “net average allowable costs”◦ Capped at $25,000 in year 1◦ Capped at $10,000 for years 2-6
Pediatrician incentive reduced by 2/3rds unless Medicaid patient volume is 30%+
No initial payments after 2016 No subsequent payments after 2021
Eligible Professional:85% * $25,000 + 85% * 50,000 = $63,750
Pediatrician (20-29% Medicaid)85% * $25,000 * (2/3) + 85% * $50,000 * (2/3) = $42,500
Medicaid Incentive Payments forPhysicians
10% of “Patient Volume” on Medical Assistance◦ To be defined by Secretary of HHS◦ Inpatient vs. outpatient volumes
States allocate the money Year 1 – Demonstrate efforts to adopt,
implement or upgrade EHR system Years 2-6 – Demonstrate “meaningful use”
Medicaid Incentive Paymentsfor Hospitals