1. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com

2.  Part I – Overview of the HITECH Act  Part II – HIPAA 2.0 ◦ Breach Notification Rule - Effective September 23, 2009 ◦ Business Associate Agreements ◦ Penalties & Enforcement ◦ Timeline and Additional Privacy Requirements  Part III – Health IT Funding ◦ Billions in federal stimulus funding ◦ Complex payment methodologies for healthcare providers ◦ Open issues regarding “meaningful use” and “certified electronic health record technology” 2

3. ARRAHITECH* Act Funding for Health IT HIPAA 2.0 Health IT Bureaucracy Part I - HITECH Act Overview 3 * Health Information Technology for Economic and Clinical Health Act

4. The Policy Picture Peter Orszag, Director OMB “The US must move towards a higher-quality, lower- cost system in which best practices are universal…The administration has therefore put forward initiatives such as health IT…” 4

5. New Compliance Obligations and More Regulations to Come

6. “A covered entity shall, following discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach.” - 45 CFR §164.404(a)(1) HIPAA Breach Notification Rule 6

7. Is there a breach? 1. Violation of the Privacy Rule 2. Significant Risk of Harm A.Is There a Breach? 7

8.  Harm Threshold ◦ Incident must impose a “significant risk of financial, reputational or other harm to the individual.”  Fact Specific Analysis ◦ What is the nature of the information? ◦ To whom was the information disclosed? ◦ Mitigation efforts matter Significant Risk of Harm 8

9.  Was data “unusable, unreadable, or indecipherable to unauthorized individuals”?  Safe Harbor Standards: ◦ National Institute of Standards and Technology (NIST) publications:  800-111 (Encryption)  800-52 (Transport Layer Security)  800-77 and 800-113(VPNs)  800-88 (Guidelines for Media Sanitation) ◦ NIST publications available at www.csrc.nist.gov B.Was PHI “unsecured”? 9

10.  60 day shot-clock from date of discovery  Without “unreasonable delay” 10 Oct. 1 Oct. 1stOct. 3rdNov. 1stDec. 2nd Stolen laptop becomes known to CE Laptop is stolen Notification Deadline 60 days Failure to provide notification within 60 days may lead to violation

11.  What if a business associate is involved? 11 Oct. 1 Oct. 1stOct. 3rdNov. 1stDec. 2ndDec. 30th Stolen laptop becomes known to BA Laptop is stolen from BA BA notifies CE Notification Deadline (if BA is independent contractor) Notification Deadline (if BA is agent) 60 days Failure to provide notification within 60 days may lead to violation

12.  Brief description of what happened ◦ Date of breach ◦ Date of discovery of breach  Description of the types of PHI disclosed  Steps individual should take to protect him/herself  Description of what covered entity is doing to: ◦ Investigate breach ◦ Mitigate harm to individuals - i.e. provide fraud insurance, suggest that individual contact credit bureau or credit care company ◦ Protect from further breaches  Contact procedures-- Toll free number, website or postal address Content of Notice to Individuals 12

13.  Media Notice - Required if Over 500 Individuals ◦ Supplemental to written notice; must still provide individual notice ◦ Prominent media outlets serving a state or jurisdiction ◦ Contains the same content as written notice  Notice to HHS ◦ Over 500 individuals - notice required within 60 days ◦ Less than 500 then CE maintains a log and reports all breaches within 60 days after calendar year using HHS form Additional Notice Recipients 13

14.  Implementation of Policies & Procedures  Train workforce members  Risk assessment regarding “unsecured” data  Maintenance of breach log for reporting to HHS  Effective September 23, 2009 but HHS to exercise enforcement discretion to February 22, 2010 HIPAA Breach Notification Rule Administrative Requirements 14

15.  Application of certain HIPAA Security Standards ◦ Administrative Safeguards ◦ Physician Safeguards ◦ Technical Safeguards ◦ Documentation Requirements  Application of certain HIPAA Privacy Standards ◦ 45 CFR Section 164.504(e) and new HITECH provisions  Subject to same civil and criminal penalties as covered entities 15

16.  Must Business Associate Agreements be modified?  Ambiguous terms in HITECH Act: ◦ “The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” - Sec. 13401; parallel provision at Sec. 13404 for privacy standards  HHS: Guidance to be issued this Fall Business Associate Agreements 16

17.  Update forms and new agreements to include HITECH Act requirements for business associates under Section 13401(a) and 13404(a) of the Act  Revise notification requirements in light of new breach notification rules  Consider indemnity provisions related to costs of breach notification caused by business associate.  Monitor HHS guidance and implement any additional changes for new (and potentially existing) business associate arrangements Business Associate Agreements: Next Steps 17

18.  Expansion of criminal and civil penalties  Tiered penalties depending on the nature of the violation  Periodic audits by HHS  State Attorney General may bring civil actions provided no federal action pending  Victims may receive percentage of civil penalties (starting in 2012) Penalties and Enforcement 18

19. Feb. 2009 Increased penalties Enforcement by State Attorney General Sept. 2009 Data Breach Notification Requirements Fall 2009 HHS Issues Guidance Regarding Business Associate Agreements Feb. 2010 New Rules for Business Associates Revised Marketing and Fundraising Rules June 2010 HHS to Issue Regulations for Accounting of Disclosures Jan. 2011 Accounting of Disclosures for adopters of EHR after 1/1/2009 Jan. 2014 Accounting of Disclosures for EHR adopters before 1/1/2009 19

21. Scope of Health IT Funding In billions of dollars *Estimated, includes incentive payments 21

22. HIE Planning & Development Planning Grants State Designated Entity States Implementation Grants EHR Adoption Loan Program Loan FundsIndian Tribes Health Care Providers Health IT Extension Program Regional Extension Centers Nonprofits Least Advantaged Providers Health IT Research Center 22 Additional funds available for Workforce Training Grants and New Technology Research & Development Grants Contact: Washington State Health Care Authority

23. Medicare Payment Incentives Incentive Payments through Carriers Hospitals Physicians Medicare up to $44,000 Medicaid up to $63,750 Medicaid Payment Incentives 10%+ of Patients Incentive Payments through State Agencies Nurse Practitioners & Midwives FQHC 23 Incentive payments decrease starting in 2013 Penalties (lower reimbursements) starting in 2015

25.  Hospitals may be able to collect incentive payments for certain employed physicians, but note that “hospital-based” physicians are excluded Excluded Physicians Pathologists Anesthesiologists Emergency Physicians

26.  Washington Grace Hospital = 80 beds ◦ 4 Employed Physicians – Medicare ($44,000) Estimates based on certain factual assumptions. Subject to revision under final HHS regulations.

27.  Demonstrate to the “satisfaction of the Secretary” use of certified EHR in a meaningful manner  Certified EHR technology must be connected to provide for the electronic exchange of health information to improve the quality of care  Hospitals to submit information on clinical quality and other measures as selected by the Secretary 27

28. Office of the National Coordinator HIT Policy Committee HIT Standards Committee Public Comments Over 800 received CMS “Meaningful Use”- Policy Process 28

29. “Meaningful Use” – Timeline 2009201120132015 Phased HIT-Enabled Health Reform HITECH Policies HHS to define terms and issue regulations Capture/Share Data Incentive Payments Advanced care processes with decision support Improved Outcomes Penalties 29

30.  Proposed Definition of HHS Certification ◦ HHS Certification means that a system is able to achieve the minimum government requirements for security, privacy, and interoperability, and that the system is able to produce the Meaningful Use results that the government expects. ◦ HHS Certification is not intended to be viewed as a “seal of approval” or an indication of the benefits of one system over another.  December 31, 2009 deadline for initial standards, implementation specs and certification criteria 30

31.  Careful review of information technology transactions – from due diligence during system selection through contracting  Ensure that all information technology transactions are HITECH ready ◦ Vendor/service provider commitment regarding data security and accounting of disclosure requirements ◦ Updated Business Associate Agreement ◦ Functionality necessary to obtain or maintain “certified EHR“ status and to facilitate “meaningful use” Technology Transaction Review 31

32.  HHS and the Office of the National Coordinator for Health Information Technology (ONCHIT) for development of standards for “certified EHRs” and “meaningful use” http://healthit.hhs.gov/  Washington State Health Care Authority regarding grants and other “appropriated funds” http://www.hca.wa.gov/arra.html 32

33. David G. Schoolcraft dschoolcraft@omwlaw.com 206.447.7211 Health Law Blog: www.omwhealthlaw.comwww.omwhealthlaw.com

34. APPENDIX 34

35.  HITECH Act contains additional statutory exceptions to definition of “breach”. ◦ Unintentional use or disclosure to workforce member if use or disclosure was made in good faith and did not result in further use or disclosure ◦ Inadvertent disclosure from an individual authorized to access the records to another similarly situated individual ◦ Unauthorized person could not have reasonably retained the information. ◦ Limited data set excluding Date of Birth and Zip Codes Breach Definition Statutory Exceptions 35

36. Violation when Person “Did Not Know” $100/violation $25,000 Max Violation due to Reasonable Cause $1,000/violation $100,000 Max Willful Neglect Corrected $10,000/violation $250,000 Max Willful Neglect Not Corrected $50,000/violation $1,500,000 max Increased Civil Penalties 36 HHS shall base the penalty determination on the nature & extent of the violation and the nature & extent of the resulting harm. Effective for all violations after Feb. 17, 2009

37.  Hospitals ($2 MM + $200 (Discharges 1,150 th - 23,000 th )) * Medicare Share (%)* Transition Factor  Total Discharges  Medicare Inpatient Days  Charity Care  Critical Access Hospitals 101% * Reasonable Cost of EHR System * (Medicare Share % + 20%)  Costs of EHR System  Medicare Inpatient Days  Charity Care Medicare Funds - Formulas & Key Factors 37 Medicare Share

38.  Washington Grace CAH – 25 beds Total Discharges 170 Medicare Patients110 Medicare Inpatient Days260 Total Inpatient Days350 Total Hospital Charges $ 8,500,000 Total Charity Care$120,000 Annual Cost of EHR System$350,000 Medicare Share 75% + 20% = 95% (20% increase for CAH) Total $1,348,242 Estimate of Incentive Payments * 2011201220132014 $337,060 Assumes costs remain the same over all four years *Estimate based upon existing statute in advance of HHS rule making.

39.  85% of the “net average allowable costs” ◦ Capped at $25,000 in year 1 ◦ Capped at $10,000 for years 2-6  Pediatrician incentive reduced by 2/3rds unless Medicaid patient volume is 30%+  No initial payments after 2016  No subsequent payments after 2021 Eligible Professional: 85% * $25,000 + 85% * 50,000 = $63,750 Pediatrician (20-29% Medicaid) 85% * $25,000 * (2/3) + 85% * $50,000 * (2/3) = $42,500 Medicaid Incentive Payments for Physicians

40.  10% of “Patient Volume” on Medical Assistance ◦ To be defined by Secretary of HHS ◦ Inpatient vs. outpatient volumes  States allocate the money  Year 1 – Demonstrate efforts to adopt, implement or upgrade EHR system  Years 2-6 – Demonstrate “meaningful use”