Electronic Health Records and Health Information Technology Under the New Federal Stimulus Act: How Are Healthcare Entities Affected?

The recently enacted federal stimulus package, the American Recovery and Reinvestment Act of 2009, contains a set of provisions known as the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) that advance the use of technology in healthcare, principally by encouraging hospitals and physicians to adopt an electronic health record (“EHR”) system before the end of 2015. The act also provides funding for, among other things, an EHR infrastructure and technologies to allow for the electronic flow of information; the support of regional and sub-national efforts toward health information exchange; the promotion of interoperable clinical data repositories performing comparative effectiveness research on how electronic data use impacts healthcare treatments and strategies; and the integration of health IT education in the training of healthcare professionals. In addition, the HITECH Act establishes new responsibilities for the U.S. Department of Health and Human Services (“HHS”), through the Office of the National Coordinator for Health Information Technology (the “National Coordinator”), to develop and adopt policies and standards, including new privacy standards, for EHRs and other forms of health information technology. Given the scope of the HITECH Act, and its mandate to HHS to act quickly, regulations and guidance are likely to be issued by the agency regarding the next steps for providers and others to take in the near future. Below are some preliminary questions that hospitals and physicians may want to consider.

How does the HITECH Act encourage physicians and hospitals to adopt EHRs?
Adopting an EHR system is “voluntary” – but there will be financial consequences for a hospital or physician participating in Medicare. For these providers, “meaningful EHR users” are eligible for Medicare incentive payments starting in 2011, and ending in 2015. After 2015, physicians and hospitals that are not “meaningful EHR users” will receive reduced Medicare payments. The HITECH Act also allows for an additional reimbursement of 10 percent for hospitals and physicians providing services in an area designated by the Secretary of HHS as a “health professional shortage area.” Some exceptions to the payment rules exist. Also, Medicaid monies will be available to the states, certain hospitals and certain physicians to develop EHR systems.

In general, for “eligible professionals” who show “meaningful use” of an EHR system, the maximum Medicare incentive payment that a physician may receive for early use (i.e., 2011) is $48,400, which is available if the physician predominantly furnishes services in a health professional shortage area. Other physicians may receive up to $44,000 for early use. For each year after 2011 that the physician becomes a “meaningful EHR user,” these incentive payments will be reduced. The incentive provision excludes “hospital-based eligible professionals,” and special rules are established for “eligible professionals” affiliated with “qualified Medicare Advantage organizations.”

“Qualified hospitals” that show “meaningful use” of an EHR will receive a Medicare incentive payment for early use of an EHR system calculated as the sum of a base amount ($2,000,000), added to its “discharge related amount” and then multiplied by its Medicare share. These payments will be reduced over a four-year transition period (using the formula of 100 percent – 75 percent – 50 percent – 25 percent). Starting in 2015, any “eligible hospitals” that do not turn in the required quality data will be subject to a 25-percent reduction in their annual update. Critical access hospitals have a more generous formula for incentive payments.

Are monies currently available to adopt an EHR system?
Not specifically. However, the HITECH Act creates a number of grant and demonstration project programs for EHR and health information technology activities. The National Coordinator’s website at www.hhs.gov/healthit is a starting point for understanding the health information infrastructure contemplated under the HITECH Act, and various activities and programs. Many states have established health information technology agencies or private collaboratives that are aware of (and ultimately may distribute HITECH Act monies for) health information projects at the provider/enterprise level.

What is a “meaningful EHR user” who qualifies for the Medicare incentive payments?
In general, to be a meaningful EHR user, a provider must adopt a “certified EHR system,” according to standards to be established by HHS. These standards must include e-prescribing. Also, the user must demonstrate, pursuant to agency standards (to be issued), that it engages in the exchange of health information to promote the quality of care and care coordination. Finally, the user must be able to report on clinical quality measures as requested by HHS, using the EHR technology.

If not a physician or a hospital – Is adopting an EHR system necessary, and are these other entities affected by the HITECH Act?
In general, a lab, skilled nursing facility, etc., is not required to adopt an EHR system under the HITECH Act. However, the larger goal of creating a national EHR system is unlikely to work without the ability to share health information, including information in an EHR, among providers, payors and others in the healthcare system. There are likely to be further laws or guidance from HHS on how these other providers will be encouraged to adopt EHRs. The HITECH Act may affect these other entities since it has revised existing privacy and security requirements under HIPAA, which may make them subject to these requirements.

When and how will standards be adopted to direct the implementation of EHR and health information technology systems?
The HITECH Act generally requires the National Coordinator to develop and propose standards, implementation specifications and certification criteria for EHRs and other components of a national health information infrastructure to the Secretary of HHS. An initial set of standards, implementation specifications and certification criteria must be adopted by December 31, 2009. These initial standards should address a number of areas, including the use of a “certified” EHR record by every individual by 2014; a national infrastructure to permit the electronic use and “accurate” exchange of health information; the use of EHRs to improve “quality of care”; and technologies to ensure the privacy and security of health information, ensure “the comprehensive collection of patient demographic data” and address “the needs of children and other vulnerable populations.” Ensuing recommendations from the National Coordinator must be reviewed by the Secretary within 90 days of receipt.

Should healthcare entities start the process of implementing a health information technology system or wait for standards to be adopted?
While the Medicaid reimbursement payments are not scheduled to begin until 2011, healthcare entities will not qualify for the reimbursements simply by purchasing and implementing a system; they must demonstrate that they are a “meaningful EHR user” of a certified EHR. The transition to a new EHR system may take time in order for organizations to choose the right system for their practice, develop an implementation plan, install the system and connect to other networks and providers. The demand to install systems over the next few years (in order for providers to receive the largest reimbursement benefits under the statute) may outweigh the ability of healthcare IT software vendors and consulting professionals to supply the products and services. Therefore, organizations may wish to start considering what steps to take in order to begin the process.

How does the HITECH Act impact existing HIPAA privacy and security requirements?
The HITECH Act substantially modifies the existing HIPAA privacy and security requirements to provide additional privacy and security rights and requirements that benefit the individual and requires that the business associate agreements between covered entities and business associates be updated to reflect any new privacy or security requirements of the HITECH Act. Unless otherwise specified, the effective date of all provisions is 12 months from the date of enactment of the HITECH Act, or February 17, 2010. Additional changes are:

HIPAA privacy and security rules apply to covered entities, which include healthcare providers, health plans and healthcare clearinghouses, and requires these covered entities to enter into specialized confidentiality agreements with business associates, those third parties that perform business functions on behalf of covered entities (e.g., consultants). Under HIPAA, these third parties were subject to contractual breach only if they failed to comply. Under the HITECH Act, covered entities will now include “business associates” who will be directly subject to HIPAA’s privacy and security requirements, including administrative, physical and technical safeguard requirements (such as the need to develop and implement comprehensive written security policies and procedures with respect to the protected health information), as well as its criminal and civil fines and penalties. Also, the HITECH Act maintains that organizations that provide data transmission of protected health information (“PHI”) to covered entities or their business associates, such as health information exchange organizations, regional health information organizations or vendors that contract with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, are considered business associates and must have a business associate agreement with such covered entities.

Under the HITECH Act, there are new breach notification requirements for all covered entities requiring the covered entities to report most security breaches directly to individuals. Large security breaches will be reported to HHS and prominent media outlets. The Secretary is required to issue interim final regulations governing the duty to notify within 180 days of enactment of the HITECH Act (August 16, 2009), and these requirements will go into effect 30 days after the date that the interim final regulations are promulgated. Under the HITECH Act, covered entities must, when otherwise permitted, disclose only the “minimum necessary” to accomplish the intended purpose for such disclosure. There will be new guidance issued governing what constitutes “minimum necessary” for purposes of disclosures under the privacy rule within 18 months after the date of enactment of the HITECH Act (August 17, 2010).

Under the HITECH Act, individuals may request an accounting of the disclosures of his/her electronic protected health information, as is contained in the EHR, over the preceding three years. Therefore, covered entities with EHRs may want to begin accounting for disclosures as early as January 1, 2011, depending on when they acquire and begin to use an EHR.

Under the HITECH Act, an individual may request that her protected health information not be disclosed to her health plan if she pays for medical care in full.

Under the HITECH Act, the definition of “health care operations” will be reviewed by the Secretary of HHS by August 17, 2010, and narrowed or clarified.

Under the HITECH Act, the HIPAA Privacy Rule is amended to limit when a covered entity may disclose PHI as part of a healthcare operation if it receives or has received a direct or indirect payment in exchange for making such communication, except in specified circumstances.

Under the HITECH Act, the sale of PHI by a covered entity or a business associate is prohibited without patient authorization except in certain specified circumstances.

As a result of these changes, covered entities should take steps to review their current privacy and security practices to ensure that they are in compliance with the law, update their privacy and security policies, develop a breach notification policy that complies with the HITECH Act (and state law counterparts) and update any business associate agreements to reflect the new obligations under the HITECH Act.

Who will oversee implementation of the HITECH Act and other components of a national, integrated health information network?
Although final responsibility lies with the Secretary of HHS, the National Coordinator has considerable powers. The Office of the National Coordinator was established in 2004 to work with public and private entities to develop a national health information architecture, and applicable policies and procedures. The National Coordinator’s website at www.hhs.gov/healthit contains a wealth of information about the office’s activities and plans. The National Coordinator also will work with states and others at the state and regional levels to facilitate the electronic use of health information according to national standards, including through the adoption of regional support centers and the distribution of grants and other monies.