1. South Carolina Healthcare Financial Management Association Legal Implications of HIT: Practical Tips for Compliance and Vendor Contracting June 1, 2011 Mark L. Bender, JD (803) 253-8212 mbender@nexsenpruet.com Jeanne M. Born, RN, JD (803) 540-2038 jborn@nexsenpruet.com Nexsen Pruet, LLC http://www/nexsenpruet.com

2. HIPAA/HITECH Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) American Recovery and Reinvestment Act of 2009 –Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); Division A, Title VIII, Subtitle D – Privacy Division B, Title IV – Medicare/Medicaid Incentives Assumptions: I will assume that you all speak “HIPAA” & “HITECH”

3. HIPAA/HITECH HITECH made multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and others. HITECH also provides for economic incentives to encourage the implementation of EHRS for hospitals and other “eligible providers.” This presentation is intended to be a high-level overview of some, not all, of the legal issues that arise out of the changes effected by HITECH and the regulations & guidance published pursuant to HITECH (to date) and implementing HIT.

4. Overview Legal & compliance issues with implementing the HITECH changes in the Privacy and Security regulations. Legal & compliance issues with implementing the Medicare & Medicaid Incentive Program meaningful use regulations. Additional legal issues in HIT implementation including: Practical tips for EHR system contracting.

5. Proposed Regulations July 14, 2010: Notice of Proposed Rulemaking: Modifications of the HIPAA Privacy, Security, and Enforcement Rules Under HITECH (the “NPRM”) Purpose: To implement several provisions of HITECH and broaden individual privacy rights. Still no final rule. A copy of the NPRM is at the following website: http://edocet.access.gpo.gov/2010/2010- 16718.htm

6. July 14, 2010 NPRM The July 14 NPRM implements the HITECH provisions, which were to be effective February 17, 2010. However... The NPRM states the following: “We note that the final rule will not take effect until after most of the provisions of the HITECH Act became effective on February 18, 2010. We recognize that it will be difficult for covered entities and business associates to comply with the statutory provisions until after we have finalized our changes to the HIPAA Rules. In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.” 75 F.R. 40868, 40871.

7. July 14, 2010 NPRM March 15, 2010 on the OCR website: http://www.hhs.gov/ocr/privacy/hipaa/understand ing/coveredentities/hitechblurb.html –“Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM, and the final rule that will follow, provide specific information regarding the expected date of compliance and enforcement of these new requirements.” Upshot? While this was a “stay of execution” we highly recommend that you go forward with taking steps toward compliance – both Covered Entities and Business Associates.

8. Business Associates Subject to Security Provisions Section 13401(a) provides that certain Security Standard provisions apply to Business Associates (“BA”) in the same manner as Covered Entities (“CE”): –45 CFR §164.308 – Administrative Safeguards –45 CFR §164.310 – Physical Safeguards –45 CFR §164.312 – Technical Safeguards –45 CFR §164.316 – Policies and procedures and documentation requirements –The additional requirements of HITECH that relate to security and that are made applicable with respect to CEs shall also be applicable to BAs. And shall be incorporated into the BA Agreement (“BAA”) between the BA and the CE.

9. Business Associates Subject to Security Provisions: NPRM Accountants are business associates if the accountant provides accounting services on behalf of a covered entity and the accountant uses PHI (includes payment information) to provide those services. Also adds obligations for BAs to pass on BA obligations to subcontractors.

10. Section 13401(c): Guidance on Security Rule Risk Analysis Requirements On July 14, 2010, HHS published guidance on compliance with risk analysis requirements under the security rule: http://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/securityrule/rafinalguidancepdf.pdfhttp://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/securityrule/rafinalguidancepdf.pdf Very useful for CEs and BAs. Will be updated after the final HITECH implementing regulations are published. A risk analysis (conduct or review) is also one of the required measures in the meaningful use regulations.

11. Section 13404: Application of Privacy Provisions and Penalties to BAs (a) Provides that the following privacy provisions apply directly to BAs: –45 C.F.R. §§ 164.502(e) and 164.504(e) (Re: BAAs) –The additional provisions in HITECH that relate to privacy that apply to CEs also apply to BAs. –NPRM broadly includes BAs in §§ 164.502 and 164.504(e). –NPRM includes new provision on subcontractors of BAs. (b) Provides that a BA must take steps to cure a breach of the BAA by the CE, terminate the BAA, or report to DHHS if the CE violates the BAA (“Snitch provision”). (c) Provides that if a BA violates (a) or (b), then the BA is subject to the HIPAA Statutory civil and criminal penalties (42 U.S.C. §§1320d-5 & 1320d-6).

12. Civil and Criminal Provisions of HIPAA apply to BAs Section 13401(b) provides that if a BA violates any of the Security provisions in Section 13401(a), the civil and criminal provisions of the HIPAA statute apply to the BA in the same manner as a CE. Significant for BAs: Previously, the only recourse against a BA was an action under the BAA.

13. Criminal Penalties: 42 U.S.C. §1320d-6 (a) A person who knowingly and in violation of this part-- (1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; or (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section. (b) Penalties A person described in subsection (a) of this section shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

14. Notification of Breach: Section 13402 A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach. BAs shall notify the CE of such breaches.

15. Breach: Section 13400(1) (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

16. Breach: Section 13400(1) (B) EXCEPTIONS.—The term ‘‘breach’’ does not include— (i) any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a CE or BA if— (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the CE or BA; and (II) such information is not further acquired, accessed, used, or disclosed by any person; OR (ii) any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA to another similarly situated individual at same facility; and (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

17. Definition of Breach Published the interim final rule on August 24, 2009: 45 C.F.R. §§164.400 – 164.414. Modified the definition of breach... Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows: –Poses a significant risk of financial reputational or other harm to the individual. Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009. This was not addressed in the NPRM.

18. Status of Breach Notification Interim Final Rule & Final Rule Interim Final Breach Notification Rule can be found at: http://edocket.access.gpo.gov/2009/pdf/E9 -20169.pdf A final breach rule was submitted to the OMB in late July of 2010, but it was withdrawn. http://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/breachnotificationrule/finalrule update.html Upshot: the interim final rule stands. Stay tuned.

19. Unsecured PHI: Section 13402(h) Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. Guidance published April 17, 2009.

20. Notification of Breach Guidance published April 17, 2009 provides that the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are: –Electronic PHI that has been encrypted Data at rest – NIST Special Publication 800-111 Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) –Media on which PHI is stored or recorded has been destroyed: Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed Electronic media: cleared or purged consistent with NIST Special Publication 800-88 FIPS: www.itl.nist.gov/fipspubs/index.htmwww.itl.nist.gov/fipspubs/index.htm NIST: www.nist.gov/

21. Notification of Breach Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. Regulations add provisions for deceased individuals and when contact information is insufficient or out of date: –Fewer than 10: alternative form of written notice, telephone or other means –10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information.

22. Notification of Breach If notification is urgent because of possible misuse, may telephone the individual(s) If 500 or more individuals are involved, notice must be provided to prominent media outlets. Notice must be provided to the Secretary of DHHS; –if 500 or more individuals are involved, this notice must be given immediately –If less that 500, the CE may keep and log and disclose to the Secretary annually. The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved. See the OCR posting (225 recorded breaches >500 to date) at http://www.hhs.gov/ocr/privacy/hipaa/administrative /breachnotificationrule/breachtool.html

23. Notification of Breach Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/breachnotificationrule/index.ht ml Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/breachnotificationrule/brinstru ction.html http://www.hhs.gov/ocr/privacy/hipaa/ad ministrative/breachnotificationrule/brinstru ction.html –Submit Notice of a Breach Affecting 500 or More Individuals Submit Notice of a Breach Affecting 500 or More Individuals –Submit Notice of a Breach Affecting Fewer than 500 IndividualsSubmit Notice of a Breach Affecting Fewer than 500 Individuals

24. Notification of Breach Content of notice: –Brief description of what happened (include date of breach and date of discovery) –A description of the types of Unsecured PHI involved in the breach –The steps that individuals should take to protect themselves from potential harm –A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches –Contact information (toll-free telephone number, an e-mail address, web site, or postal address)

25. Notification of Breach Notice can be delayed if necessary if law enforcement determines that notice: –Would impede a criminal investigation –Cause damage to national security

26. Section 13405(a): Restrictions Provides that a CE must comply with a request for a restriction (45 C.F.R. §164.522(a)(1)(i)(A)) in the use or disclosure of PHI if the purpose of the use or disclosure is NOT treatment and if payment is out of pocket in full. Upshot: Amend your HIPAA policies and procedures and your Notice of Privacy Practices to add this requirement and flag your PHI if such a restriction is requested. NPRM implements this provision.

27. Section 13405(b): Disclosures Limited: Minimum Necessary (b)(1) A CE will be in compliance with the minimum necessary standard (45 C.F.R. §164.502(b)) if the CE uses, discloses or requests only a limited data set (45 C.F.R. §514(e)(2)) unless the limited data set is not sufficient, then the minimum necessary PHI to accomplish the purpose may be disclosed. DHHS is to publish guidance on what constitutes “minimum necessary” within 18 months of, February 17, 2009, the publication of HITECH. Interestingly, the Notice of Proposed Regulations did not define the “minimum necessary standard.” Publication was to be made by August 17, 2010. No guidance published as yet. Upshot? Guidance will affect multiple policies/procedures and likely business practices as well. Be on the lookout!

28. Section 13405(c): Accounting of Disclosures (c) If a CE maintains an EHR with respect to PHI, then the accounting of disclosures includes disclosures for treatment, payment and health care operations (“TPO”), but The accounting may be requested for only the prior three (3) years. DHHS was to promulgate regulations within 6 months after DHHS adopts standards on accounting for disclosures for TPO in Section 3002(b)(2)(B)(iv) of HITECH. The proposed date for accounting of disclosures was January 11, 2011.

29. Section 13405(c): Accounting of Disclosures On May 3, 2010, DHHS published a “request for information” asking for information re: –Interests of individuals as to disclosures for TPO through an EHR; –The administrative burden on CEs and Bas; –Other information to help rulemaking. Comment period ended May 18, 2010. The NPRM was published in the Federal Register May 31, 2011: See: http://www.gpo.gov/fdsys/pkg/FR-2011-05- 31/pdf/2011-13297.pdf

30. Section 13405(c): Accounting of Disclosures: NPRM Divided into 2 rights: Applies to CEs and BAs Right to an accounting (paper & EHR) – 3year period Right to an access report (EHR only) – 3year period –Includes who has accessed the individual’s E-PHI held by a CE or BA. –Does not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the CE. –identifies the date, time, and name of the person (or name of the entity if the person’s name is unavailable) who accessed the information, a description of the PHI that was accessed; and –the user’s action, but only to the extent that such information is available. –Right to an access report must be added to the NPP.

31. Section 13405(c): Accounting of Disclosures: NPRM Exempts accounting of impermissible disclosures that have been reported to the individual as a breach. Disclosures included in the accounting: –For public health activities except disclosures to report child abuse –For judicial and administrative proceedings –For law enforcement purposes –To avert a serious threat to health or safety –For military and veterans activities, the Department of State’s medical suitability determinations, and government programs providing public benefits –For workers’ compensation

32. Section 13405(c): Accounting of Disclosures: NPRM Disclosures to carry out treatment, payment and health care operations as provided in §164.506 would continue to be exempt for paper records. An individual would be able to obtain information (such as the name of the person accessing the information) for all access to E-PHI stored in a designated record set for purposes of treatment, payment and health care operations.

33. Section 13405(c): Accounting of Disclosures: NPRM Excludes from the ACCOUNTING –disclosures about victims of abuse, neglect, or domestic violence under § 164.512(c); –disclosures for health oversight activities under § 164.512(d); –disclosures for research purposes under § 164.512(i); –disclosures about decedents to coroners and medical –examiners, funeral directors, and for cadaveric organ, eye, or tissue donation purposes under § 164.512(g) and (h); –disclosures for protective services for the President and –others under § 164.512(k)(3); and –most disclosures that are required by law (including disclosures to the Secretary to enforce the HIPAA Administrative Simplification Rules) But, the forgoing is to be available in the ACCESS REPORT to the extent these disclosures are made through the EHR.

34. Section 13405(c): Accounting of Disclosures: NPRM Content of the accounting: –The date, or approximate date or period of time during which the disclosure occurred which, at a minimum, shall include the month and year or a description of when the disclosure occurred from which an individual can readily determine the month and year of the disclosure; –The name of the entity or person who received the PHI and, if known, the address of such entity or person –Brief description of the type of PHI disclosed –Brief description of the purpose of the disclosure

35. Section 13405(c): Accounting of Disclosures: NPRM Provision of the Accounting –CE must act on the individual’s request for an accounting no later than 30 days after receipt of such request –If the CE is unable to provide the accounting within that time, the CE may extend the time by no more than 30 days provided that (1) the CE provides a written statement of the reason for the delay and the date by which the CE will provide the accounting and (2) the CE may have only 1 such extension –CE must provide the accounting in the form and format requested by the individual (there are a few exceptions) –CE must provide the first accounting to an individual in any 12-month period without charge

36. Section 13405(c): Accounting of Disclosures: NPRM Documentation of the Accounting: –CE or BA must retain the information required to be included in an accounting under this section for three years from the date of disclosure –CE must document and retain the following: A copy of the written accounting that is provided to the individual Titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals

37. Section 13405(c): Accounting of Disclosures: NPRM Content of the Access Report: (likened to an audit log – as required under the Security Rule) All disclosures AND USES of E-PHI in the designated record set (not limited to uses and disclosures made through the EHR). CE must provide the individual with an access report that includes the following: –Date of access; time of access; name of natural person, description of what information was accessed; description of action by the user. CE shall provide the individual with the option to limit the access report to a specific date, time period, or person.

38. Section 13405(c): Accounting of Disclosures: NPRM Provision of the Access Report: –CE must act on the individual’s request for an access report no later than 30 days after receipt. –CE must provide the individual with the access report in a machine readable or other electronic form and format requested by the individual, if it is readily producible in such form and format. –CE must provide the first access report to an individual in any 12-month period without charge.

39. Section 13405(c): Accounting of Disclosures: NPRM Documentation of the Access Report: CE or BA must retain the information required to be included in an access report under this section for three years from the date of the use or disclosure.

40. Section 13405(c): Accounting of Disclosures (cont’d) In processing a request for an accounting, the CE may elect: –An accounting of disclosures of the CE and BAs; or –An accounting of disclosures of the CE and a list of BAs the individual can contact with contact information.

41. Section 13405(d): Prohibition on the Sale of EHRs or PHI A CE or BA shall NOT directly or indirectly receive remuneration in exchange for any PHI of an individual unless the CE obtains a valid HIPAA authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the receiver. The prohibition does not apply to the following disclosures: –Public health activities (45 C.F.R. §164.512(b)) –Research purposes (45 C.F.R. §164.512(i)) and the price charged reflects the cost of preparation and transmittal of the data; –Treatment –Due diligence disclosures in connection with the sale or transfer of assets of a potential successor in interest –Disclosures to the BA –Access by the individual subject of the PHI –As otherwise determined by DHHS

42. Section 13405(d): Prohibition on the Sale of EHRs or PHI Regulations were to be published by August 17, 2010... Stay tuned. Upshot? Review vendor contracts to be sure that appropriate BA language is part of the agreement.

43. Section 13405(e): Access to Certain Information in Electronic Format In applying the Privacy Standards access provisions (45 C.F.R. §164.524), an individual has the right to obtain information in electronic format and direct the CE to provide it directly to an entity or person identified by the individual, provided the choice is clear, conspicuous and specific. Any fee charged by the CE for such access cannot be greater than the CE’s actual labor cost. NPRM implements this provision. Upshot? –Update your Access policy/procedure to implement – work through issues related to how you will allow such access in a manner consistent with your security policies/procedures. –Update your Notice of Privacy Practices. –Note: Meaningful Use provisions require that access is provided within 3 days!

44. Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing Generally, a communication by a CE or BA that is about a product or service and that encourages recipients of the communication to purchase or use the product or service [shall not be considered a health care operation (“HCO”)][is marketing and prohibited unless you obtain an authorization] unless the communication is made: –that describes health-related products or services provided by the CE making the communication; –for the treatment of a patient; or –for case management or care coordination of a patient, or to direct or recommend alternative treatments, health care providers or settings of care to the patient.

45. Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing If the CE receives payment in exchange for any of those communications, then the communication is not a HCO (authorization required) except where: –Such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any direct or indirect payment received by such CE (not for treatment) in exchange for making a communication is reasonable in amount; & –Where each of the following conditions apply: The communication is made by the CE; and The CE making the communication obtains from the recipient of the communication a valid HIPAA authorization; Or –Where each of the following conditions apply: The communication is made by a BA on behalf of a CE; and The communication is consistent with the written agreement between the BA and CE.

46. Section 13406(a): Conditions on Certain Contacts as Part of HCO: Marketing Reasonable: DHHS to define by regulation. Direct or Indirect payment: Does not include any payment for treatment as defined in 45 C.F.R. §164.501. NPRM proposing significant changes in this provision to simplify...

47. Marketing and the July 14, 2010 NPRM Revisions to better distinguish the exception for treatment communication form those communications made for health care operations; Add a definition for “financial remuneration;” Health care operations communications for which financial remuneration is received are marketing and require authorization; Written treatment communications for which financial remuneration is received are subject certain notice and opt out requirements (include in the NPP); Provide a limited exception for refill reminders; and etc. Upshot? –Review your marketing activities and update your HIPAA marketing policies/procedures. Too confusing!!! Stay tuned.

48. Section 13406(b): Conditions on Certain Contacts as Part of Health Care Operations: Opt out of Fundraising Any written fundraising request shall include, in a clear and conspicuous manner, an opportunity for the individual to elect to opt out of receiving future fundraising communications. Such election shall be treated as a revocation of a HIPAA authorization. NPRM implements this provision. Upshot? –Review your fundraising communications to assure that all communications include opt out language. –Monitor compliance with patients who do opt out.

49. Section 13408: BA Contract Required for Certain Entities Requires the following entities to enter into a BAA with the CE: –Health Information Exchange Organizations; –Regional Health Information Organizations; –E-prescribing Gateway; and –Each vendor that contracts with a CE to allow the CE to offer a PHR to patients as part of its EHR. Upshot: If you disclose PHI to HIEOs, RHIOs, or an E-prescribing Gateway, be sure to enter into a BAA with the entity.

50. Section 13409: Clarification of Application of Wrongful Disclosures Criminal Penalties Amends 42 U.S.C. §1320d-6(a) to make it clear that the criminal penalties apply to employees and other individuals.

51. Section 13410(a) & (b): Improved Enforcement Section 13410(a) Significantly revises 42 U.S.C. §1320d-5 to include non-compliance due to willful neglect and requires DHHS to investigate if a complaint indicates a violation due to willful neglect. Section 13410(b) –Makes 13410(a) changes effective 24 months from the date HITECH published. –DHHS required to promulgate regulations to implement this provision within 18 months of the publication of HITECH – not published yet.

52. Section 13410(c): Improved Enforcement Distribution of Civil Money Penalties (“CMPs”): –$$ go to the Office for Civil Rights to be used for enforcement purposes. - Harmed individuals may share in civil monetary penalties. Within three years a mechanism for collection will be developed.

53. Section 13410(d): Improved Enforcement Tiered increase in CMPs: –(a) $100 for each violation, the total not to exceed $25,000 for identical violations during a calendar year; –(b) $ 1,000 for each violation, the total not to exceed $100,000 for identical violations during a calendar year; –(c) $ 10,000 for each violation, the total not to exceed $250,000 for identical violations during a calendar year; and –(d) $ 50,000 for each violation, the total not to exceed $1,500,000 for identical violations during a calendar year.

54. Section 13410(d): Improved Enforcement Application of tiers: –A violation where the person did not know and by exercising due diligence would not have known, the penalty will be not less than (a) but not more than (d). –A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d). –A violation due to willful neglect: If corrected, the penalty will be not less than (c) but not more than (d); If not corrected, the penalty will be not less than (d).

55. Interim Final Enforcement Rule Published October 30, 2009 and can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative /enforcementrule/enfifr.pdf http://www.hhs.gov/ocr/privacy/hipaa/administrative /enforcementrule/enfifr.pdf Definitions: –Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. –Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. –Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

56. July 14, 2010 NPRM Proposes changes NPRM proposes a change in the definition of reasonable cause to mean an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. Other changes to strengthen and expand the OCR’s ability to enforce the Privacy and Security Standards.

57. Section 13410(e): Improved Enforcement Enforcement by Attorneys General: In any case in which the AG has reason to believe that an interest of one or more of the residents of the State has been threatened or adversely affected by any person who violates a provision of HIPAA, the AG may bring a civil action on behalf of such residents to: –Enjoin further such violations; or –To obtain damages on behalf of such residents calculated by multiplying the number of violations by $100, the total not to exceed $25,000 for identical violations during a calendar year. The court may award attorney fees.

58. Thought they were joking: Meet Richard Blumenthal Blumenthal, Connecticut’s Attorney General, brought the first suit under the HITECH act. He brought suit against Health Net after they lost or had stolen a disk that contained personal information of 1.5 million people.

59. … And He Won! Health Net spent over $7 million trying to fix the data breach. Health Net settled for a $250,000 fine, with a possibility of an additional $500,000. Lesson: Encrypt!

60. HIPAA/HITECH Constant rapid changes in the law. Stay tuned for more changes as various rules due to be published going forward. Questions about HIPAA/HITECH????

61. Medicare & Medicaid Incentive Program American Recovery and Reinvestment Act of 2009: Division B, Title IV – Medicare/Medicaid Incentives Medicare & Medicaid EHR Incentive program NPRM published January 13, 2010 Final Rule published July 28, 2010 Resource: –https://www.cms.gov/EHRIncentivePrograms/ Significant changes from the NPRM to the final rule.

62. Glossary: More Terms CEHR: Certified Electronic Health Record: 42 C.F.R. §§ 495.4 CPOE: Computerized Physician Order Entry EH: Eligible Hospital: 42 C.F.R. §§ 495.4 EHR: Electronic Health Record: 42 U.S.C.A. §17921(5) EP: Eligible Provider: 42 C.F.R. §§ 495.4 MU: Meaningful Use of certified EHR technology: 42 C.F.R. §§ 495.4 ONC: Office of the National Coordinator of Health Information Technology: 42 U.S.C.A. §300jj-11

63. Three General Requirements Requires the MU of Certified EHR technology. Requires using Certified EHR technology for the electronic exchange of health information to improve efficiency and the quality of care. Requires EHs and EPs to submit data on clinical quality measures to CMS to show MU.

64. Who is eligible to participate? Medicare fee for service –EPs MD or DO DDS or DDM DPM (Podiatrist) Dr. of Optometry –EHs Acute care hospitals Critical Access Hosptials (CAHs)

65. Who is eligible to participate? Medicare Advantage –MA EPs: Must furnish, on average, at least 20 hours/week of patient-care services and be employed by the qualifying MA organization; or Must be employed by, or be a partner of, an entity that through contract with the qualifying MA organization furnishes as least 80% of the entity’s Medicare patient care services to enrollees of the qualifying MA organization. –MA-Affiliated Eligible Hospitals: Will be paid under the Medicare fee for service EHR incentive program.

66. Who is eligible to participate? Medicaid –EPs Physicians Nurse Practitioners Certified Nurse Midwives Dentists PAs working at a FQHC or RHC that is led by a PA. –EHs Acute care hospitals (including CAHs) Children’s hospitals

67. Who is eligible to participate? But, hospital-based EPs do not qualify. –Hospital based EP: An EP performing substantially all of their services in an inpatient hospital setting or emergency room. EPs may participate in Medicare OR Medicaid incentive programs, not both (may switch one time before 2015). EHs may participate in both Medicare and Medicaid incentive programs. SCDHHS published a bulletin January 11, 2011 concerning SC’s Medicaid incentive program.

68. What is a Certified EHR? The ONC published the Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology Final Rule on July 28, 2010. The ONC published Health Information Technology: Revisions to Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology on October 13, 2010. Anticipates certifying a complete EHR and EHR Modules. 45 C.F.R. §§ 170.102 & 170.302. Tracks the MU objectives and adds certain security related provisions. 45 C.F.R. §170.302. Has provisions for ambulatory and inpatient settings. 45 C.F.R. §§ 170.304 & 170.306.

69. How are EHRs Certified? ONC published the Establishment of the Temporary Certification Program for HIT on June 24, 2010. (75 F.R. 36158-01). 45 C.F.R. 170.400, et. seq.; sunsets December 31, 2011. ONC published the Permanent Certification program for HIT on January 7, 2011 (76 F.R. 1325). 45 C.F.R. 170.500, et. seq.

70. How are EHRs Certified? ONC authorized testing and certification bodies (ONC-ATCBs): –Certification Commission of Healthcare Information Technology (“CCHIT”) –Drummond Group, Inc. –InfoGard Laboratories, Inc. –Surescripts, LLC –ICSA Labs –SLI Global Solutions See the current listing of Certified EHR Technology Vendors at: http://onc-chpl.force.com/ehrcerthttp://onc-chpl.force.com/ehrcert

71. What are the objectives/measures? Core set of objectives: –15 for EPs; –14 for EHs. Menu set of objectives: –10 for EPs and EHs. EPs must meet 20 total. EHs must meet 19 total.

72. Exception for Medicaid EPs and EHs If the EP or EH adopted (acquired and installed), implemented (commenced utilization of) or upgraded or expanded and used certified EHR technology, then the EP or EH need not demonstrate that it is a meaningful user until the second payment year. Practice tip: If the EP received EHR software or information technology and training services as a donation under the Stark EHR donation exception/Anti-kickback safe harbor, then the EP’s Medicaid incentive payment may be affected: –Because the Medicaid incentive is about reimbursing the EP for adopting, implementing and upgrading or expanding EHR technology.

73. Meaningful Use Objectives See the CMS comparison chart on the following 9 slides: –Provides a succinct summary of the objectives and measures; –Provides the comparison of the NPRM to final rule. In addition, the following 17 slides were copied or paraphrased from PowerPoint presentations by CMS entitled “Medicare & Medicaid EHR Incentive Program Final Rule, Implementing the American Recovery & Reinvestment Act of 2009.”

74. Insert 9 slides here

83. Implementation Will be implemented in three stages: –Stage 1 = 2011 and 2012 EPs must meet 20 of 25 objectives EHs must meet 19 of 24 objectives Reporting period = 90 days first year and one year subsequently. –Stage 2 = Will be transitioned from Stage 1 DHHS will re-evaluate measures Will include greater emphasis on HIE across institutional boundaries –Stage 3 = will be discussed in future rulemaking

84. Clinical Quality Measures 2011: EPs, EHs and CAHs demonstrating MU are required to submit aggregate CQM numerator, denominator and exclusion data to CMS or the States by attestation. 2012: EPs, EHs and CAHs demonstrating MU are required to electronically submit aggregate CQM numerator, denominator, and exclusion data to CMS or the States.

85. CQM: Eligible Professionals Core, Alternate Core, and Additional CQM sets for EPs EPs must report on 3 required core CQM, and if the denominator of 1 or more of the required core measures is 0, then EPs are required to report results for up to 3 alternate core measures EPs also must select 3 additional CQM from a set of 38 CQM (other than the core/alternate core measures) In sum, EPs must report on 6 total measures: 3 required core measures (substituting alternate core measures where necessary) and 3 additional measures 85

86. CQM: Core Set for EPs 86 NQF Measure Number & PQRI Implementation Number Clinical Quality Measure Title NQF 0013Hypertension: Blood Pressure Measurement NQF 0028Preventive Care and Screening Measure Pair: a) Tobacco Use Assessment b) Tobacco Cessation Intervention NQF 0421 PQRI 128 Adult Weight Screening and Follow-up

87. CQM: Alternate Core Set for EPs 87 NQF Measure Number & PQRI Implementation Number Clinical Quality Measure Title NQF 0024Weight Assessment and Counseling for Children and Adolescents NQF 0041 PQRI 110 Preventive Care and Screening: Influenza Immunization for Patients 50 Years Old or Older NQF 0038Childhood Immunization Status

88. CQM: Additional Set for EPs 1.Diabetes: Hemoglobin A1c Poor Control 2.Diabetes: Low Density Lipoprotein (LDL) Management and Control 3.Diabetes: Blood Pressure Management 4.Heart Failure (HF): Angiotensin-Converting Enzyme (ACE) Inhibitor or Angiotensin Receptor Blocker (ARB) Therapy for Left Ventricular Systolic Dysfunction (LVSD) 5.Coronary Artery Disease (CAD): Beta-Blocker Therapy for CAD Patients with Prior Myocardial Infarction (MI) 6.Pneumonia Vaccination Status for Older Adults 7.Breast Cancer Screening 8.Colorectal Cancer Screening 9.Coronary Artery Disease (CAD): Oral Antiplatelet Therapy Prescribed for Patients with CAD 10.Heart Failure (HF): Beta-Blocker Therapy for Left Ventricular Systolic Dysfunction (LVSD) 11.Anti-depressant medication management: (a) Effective Acute Phase Treatment,(b)Effective Continuation Phase Treatment 12.Primary Open Angle Glaucoma (POAG): Optic Nerve Evaluation 13.Diabetic Retinopathy: Documentation of Presence or Absence of Macular Edema and Level of Severity of Retinopathy 14.Diabetic Retinopathy: Communication with the Physician Managing Ongoing Diabetes Care 15.Asthma Pharmacologic Therapy 16.Asthma Assessment 17.Appropriate Testing for Children with Pharyngitis 18.Oncology Breast Cancer: Hormonal Therapy for Stage IC-IIIC Estrogen Receptor/Progesterone Receptor (ER/PR) Positive Breast Cancer 19.Oncology Colon Cancer: Chemotherapy for Stage III Colon Cancer Patients 88

89. CQM: Additional Set for EPs, cont’d 20.Prostate Cancer: Avoidance of Overuse of Bone Scan for Staging Low Risk Prostate Cancer Patients 21.Smoking and Tobacco Use Cessation, Medical assistance: a) Advising Smokers and Tobacco Users to Quit, b) Discussing Smoking and Tobacco Use Cessation Medications, c) Discussing Smoking and Tobacco Use Cessation Strategies 22.Diabetes: Eye Exam 23.Diabetes: Urine Screening 24.Diabetes: Foot Exam 25.Coronary Artery Disease (CAD): Drug Therapy for Lowering LDL-Cholesterol 26.Heart Failure (HF): Warfarin Therapy Patients with Atrial Fibrillation 27.Ischemic Vascular Disease (IVD): Blood Pressure Management 28.Ischemic Vascular Disease (IVD): Use of Aspirin or Another Antithrombotic 29.Initiation and Engagement of Alcohol and Other Drug Dependence Treatment: a) Initiation, b) Engagement 30.Prenatal Care: Screening for Human Immunodeficiency Virus (HIV) 31.Prenatal Care: Anti-D Immune Globulin 32.Controlling High Blood Pressure 33.Cervical Cancer Screening 34.Chlamydia Screening for Women 35.Use of Appropriate Medications for Asthma 36.Low Back Pain: Use of Imaging Studies 37.Ischemic Vascular Disease (IVD): Complete Lipid Panel and LDL Control 38.Diabetes: Hemoglobin A1c Control (<8.0%) 89

90. CQM: Eligible Hospitals and CAHs 1.Emergency Department Throughput – admitted patients Median time from ED arrival to ED departure for admitted patients 2.Emergency Department Throughput – admitted patients – Admission decision time to ED departure time for admitted patients 3.Ischemic stroke – Discharge on anti-thrombotics 4.Ischemic stroke – Anticoagulation for A-fib/flutter 5.Ischemic stroke – Thrombolytic therapy for patients arriving within 2 hours of symptom onset 6.Ischemic or hemorrhagic stroke – Antithrombotic therapy by day 2 7.Ischemic stroke – Discharge on statins 8.Ischemic or hemorrhagic stroke – Stroke education 9.Ischemic or hemorrhagic stroke – Rehabilitation assessment 10.VTE prophylaxis within 24 hours of arrival 11.Intensive Care Unit VTE prophylaxis 12.Anticoagulation overlap therapy 13.Platelet monitoring on unfractionated heparin 14.VTE discharge instructions 15.Incidence of potentially preventable VTE 90

91. Incentive payments for EPs IF the EP begins in: –2011 = $44K –2012 = $44K –2013 = $39K –2014 = $24K If the EP (HPSA) begins in: –2011 = $48.4K –2012 = $48.4K –2013 = $42.9K –2014 = $26.4K

92. Incentive payments for EPs If the Medicaid EP begins in: –2011 = $63,750 –2012 = $63,750 –2013 = $63,750 –2014 = $63,750 –2015 = $63,750 –2016 = $63,750

93. Incentive payments for Hospitals No payments after 2016. Based on a formula: –($2Mil. Base + per discharge amount)(or if > 23,000 discharges = $6,370,200) x (Medicare/Medicaid share fraction) –There is no maximum incentive amount

94. Incentive payments for CAHs The product of the reasonable costs incurred for the purchase of certified EHR technology and the CAH’s Medicare share percentage.

95. Milestone Timeline

96. Medicare/Medicaid Economic Incentives Questions?

97. Additional Legal Issues to Consider with HIT Implementation Implementation of HIT requires increased focus on privacy and security. Why we reviewed the “latest and greatest” progress (or lack thereof) in the HITECH privacy and security rules. Success with HIT implementation occurs only with successful privacy and security protections.

98. Additional Legal Issues to Consider with HIT Implementation Review your policies/procedures for what is included in your “Legal Medical Record” to assure that the EHR product provides for legally required content: –Conditions of Participation –Licensing Regulations –Legally Required Reporting (ex: compliance with quality initiatives) –Documentation to support: Continuing care Billing and coding Legal defense Audit defense –The Joint Commission requirements

99. Additional Legal Issues to Consider with HIT Implementation Require ongoing representations & warranties in agreements concerning the legal compliance obligations.

100. Additional Legal Issues to Consider with HIT Implementation Take care to accurately document: –Watch out for software prompts that may cause the provider to document a service that was not done. –Watch “block and copy” –These documentation issues: Create issues with patient safety in reliance on records for the provision of continuing care Create issues with medical necessity May create issues of allegations of fraud and abuse: –“[Reviewers] shall determine if patterns and/or trends exist in the medical record which may indicate potential fraud, waste or abuse” where “medical records tend to have obvious or nearly identical documentation...” CMS Pub. 100-8, Medicare Integrity Manual, Section 4.3(C).

101. Additional Legal Issues to Consider with HIT Implementation Be aware or record retention and destruction: –Review your policies/procedures to determine if they address both paper and EHRs. Be aware of E-Discovery Issues: –Duty to preserve electronic evidence when you become aware of the threat of litigation Know where your electronically stored information resides: –Servers –Database files –Word processing files –PCs, Laptops, Desktops –PDAs –Imaging systems –Other media: thumb drives, CDs, etc.

102. Additional Legal Issues to Consider with HIT Implementation E-Discovery Continued: –Understand that the stakes are high: Exclusion of evidence that may be helpful to your case. Major monetary sanctions –Review policies/procedures for retention / destruction in the litigation and governmental investigation context. –Review administrative policies/procedures and legal compliance policies/procedures.

103. Additional Legal Issues to Consider with HIT Implementation –Be aware of Metadata, particularly as it pertains to how, when and by whom an entry was collected, created, accessed, or modified and how it is formatted, including data demographics as to size, location, storage requirements and media information. Understand that metadata provides a vast amount of information about documentation which was not previously available. Be prepared to address issues raised with metadata particularly in malpractice cases.

104. Additional Legal Issues to Consider with HIT Implementation Be aware of liability caused by the application of technology. E-Iatrogenesis*: patient harm caused, at least in part, by the application of health information technology. –*Weiner, J.P., et al, The Most Critical Unintended Consequence of COPE and other HIT, J. Am. Med. Inform Ass’n, June 2007, at 14:387-388. See the AHRQ website for a summary of patient safety issues with CPOE at http://psnet.ahrq.gov/primer.aspx?primerID=6

105. Additional Legal Issues to Consider with HIT Implementation –e-Iatrogenic errors occur with CPOE in “four major categories: (1) errors of commission, such as accessing the wrong patient’s record or overwriting one patient’s information with another’s; (2) errors of omission or transmission, such as the loss or corruption of vital patient data; (3) errors in data analysis, including medication dosing errors of several orders of magnitude; and (4) incompatibility between multi-vendor software applications and systems, which can lead to any of the above.”* –*Jeffrey Shuren, Director of FDA’s Center for Devices and Radiological Health, Testimony at the Health Information Technology Policy Committee Adoption/Certification Workgroup, (February 25, 2010).

106. Additional Legal Issues to Consider with HIT Implementation Any of these types of errors can result in a negligence action against the hospital and providers. Upshot: –Discuss whether the vendor has addressed these issues in the development of their product. –Focus on education and training. –Discuss with your general and professional malpractice carrier.

107. Additional Legal Issues to Consider with HIT Implementation Reference The Joint Commission Sentinel Event Alert: December 11, 2008: Safely implementing health information and converging technologies http://www.jointcommission.org/asset s/1/18/SEA_42.PDF

108. PRACTICAL TIPS FOR EHR SYSTEM CONTRACTING Mark L. Bender

109. Steps in the Process Gap Analysis-Understand existing capabilities and new capabilities needed Requirements Specifications Request for Proposal Vendor Selection Negotiate Financial Terms Negotiate Contract Sign Contract Implementation Go Live

110. Contracting Fundamentals A Contract is not a substitute for choosing the right system and the right vendor If it’s not in the contract, you won’t get it If it’s not in writing, it’s not in the contract

111. You need a lawyer IT personnel, accountants, and consultants are NOT lawyers Get your lawyer involved early (not the day before the contract must be signed) Controlling legal costs: don’t use your lawyer for tasks that can be performed just as well by an employee Get regular updates on project status and fees

112. Relationship of new system to existing system Are you adding an EHR module to an existing system of the same vendor? Interoperability issues interface issues who’s responsible for what Are you replacing an existing vendor? What are your contractual rights and obligations related to your existing system? conversion/transition rights termination rights

113. The System is only as good as the Training... Get the details of the vendor’s training program: –curriculum and course materials –modalities (classroom-based versus Web-based) –Where and when available –Number of trainees per class –Testing to measure effectiveness –Right to re-take a course if passing grade not attained –Availability of refresher courses

114. Should I buy or should I rent? Traditional licensing model Application Service Provider (ASP) model Software as a Service (SaaS) model

115. The System is only as good as the implementation Have a plan: Implementing a system without an implementation plan is like heading into the Outback without a map, GPS, and compass. An implementation plan without milestones is like a battle plan without objectives Milestones without penalties are guns without bullets

116. Deal Structural Models Traditional software license ASP/SaaS cost predictability less upfront investment, but may be more expensive over time security concerns data backups and access

117. Contract Structure One or more agreements covering: Hardware purchase (if any) Software license Hardware maintenance and support (if applicable) Software maintenance and support Hosting (if applicable) Implementation services (if applicable)

118. Software License Terms Authorized Entities – what entities in a corporate group are covered by the license? are new additions to corporate group covered? Authorized Users - who; how many; impact on license fees Assignability Other use restrictions

119. Software Maintenance and Support Maintenance – what updates are free, what updates are billable Support – how delivered, response times; bug handling Service level commitments and credits

120. Hosting (if applicable) uptime security backups data ownership service level commitments and credits

121. Other Contract Topics/Provisions Implementation services (e.g. requirements specification; customization; data conversion): need plan; assign responsibilities; need timeline and milestones; tie payments to milestone achievement; agree upon testing and acceptance)

122. Other Contract Topics/Provisions continued Warranties: HITECH certification warranty - Office of the National Coordinator for Health Information Technology (ONC) sets the rules; the rules are applied by an Authorized Testing and Certification Body (ATCB) to certify EHR systems and modules; Certification Commission for Health Information Technology (CCHIT) is an ATCB “Meaningful use” functionality warranty HIPAA compliance warranty Be sure the foregoing warranties include the obligation to stay current; no lapses permitted non-infringement warranty

123. Dispute resolution: arbitration versus litigation governing law place of adjudication Assignability Liability Limitations Disaster Recovery Force Majeure

124. QUESTIONS???