On February 17, 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act, also referred to as the HITECH Act, as part of the Federal stimulus bill. The impact of this legislation on health care providers who participate in the Medicare and Medical Assistance programs, as well as colleges and universities providing health informatics education, promises to be dramatic. The HITECH Act calls for significant subsidies in the form of grants and loans totaling $19 billion over four (4) years to health care providers and others in the medical industry for the implementation of health information technology. The Act also funds the Office of the National Coordinator for Health Information Technology (“ONC”), which is empowered to develop a national health information technology infrastructure with the goal of establishing an electronic health record for each citizen by 2014. Furthermore, application of the privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”) will be expanded significantly to apply directly to business associates of health care providers, plans and clearinghouses. The purpose of this Update is to apprise you of the key provisions of the HITECH Act.
Health Information Technology Implementation Assistance
The HITECH Act provides support in order to assist health care providers in implementing health information technology (“HIT”). In order to support health care providers in adopting, implementing and effectively using certified electronic health record (“EHR”) technology, the HITECH Act authorizes the ONC to create an HIT extension program, consisting of an HIT Research Center and Regional Extension Centers. The HIT Research Center will provide technical assistance and develop best practices to facilitate the utilization of HIT by health care providers nationwide. The goals of the HIT Research Center include: (i) providing a forum for the exchange of knowledge and experience; (ii) assembling, analyzing and disseminating evidence and experience relating to effective use of HIT; and (iii) providing technical assistance to regional and local health information networks.
The Regional Extension Centers created under the Act will also provide technical assistance and disseminate best practices and other lessons learned from the HIT Research Center to health care providers in their regions. The objectives of these Regional Extension Centers will include: (i) assistance with the effective implementation, use and upgrade of HIT, including EHRs; (ii) dissemination of best practices and research on HIT to improve overall health care; (iii) participation in health information exchanges; and (iv) integration of HIT in the training of health professionals in the region. An affiliate of a non-profit organization may apply to become a Regional Extension Center, and will receive financial assistance under the Act if successful. Within ninety (90) days of the February 17, 2009 enactment, the Department of Health and Human Services (“HHS”) will release Regional Extension Center applications. At this point, it remains unclear to what extent, if any, a Regional Extension Center may provide direct monetary assistance to health care providers for implementation and upgrade of HIT.
Loan Programs for Implementation of Certified EHR Technology
Starting January 1, 2010, States, including Pennsylvania, will be eligible to receive grants for the establishment of loan programs to health care providers, who may use the proceeds to: purchase certified EHR technology; train personnel; and improve the secure electronic exchange of health information. States may use the grant proceeds to: (i) award loans to health care providers, the interest rates of which cannot exceed the market rate, with principal and interest payments commencing not later than one (1) year after issuance and fully amortized not more than ten (10) years from the date of the loan; (ii) guarantee a local obligation financing an HIT project; and (iii) payment of revenue or general obligation bonds issued by the State if the sale proceeds of such bonds ultimately fund the aforementioned loan programs. In addition to funding loan programs, States are eligible to receive separate grants to assist in the implementation of HIT.
Direct Incentives to Physicians for Use of Certified EHR Technology
Starting in 2011 and continuing through 2015, incentives through the Medicare program will be made available for physicians who make “meaningful use” of certified EHR technology (ex. an EHR that is CCHIT certified). It is also important to note that beginning in 2016, any physician not making meaningful use of certified EHR technology may be subject to reductions in his/her Medicare payments. Although likely to be further defined by future regulation, “meaningful use” of certified EHR technology means demonstration, to the satisfaction of the Secretary of HHS: (i) that the physician is using certified EHR technology in a meaningful manner, which includes e-prescribing; (ii) connection of the certified EHR technology in a manner that provides for electronic exchange of health information to improve medical quality, including coordination of care; and (iii) use of the certified EHR technology to submit information on clinical quality measures. If a physician meets these criteria, he/she may qualify to receive an incentive payment from Medicare in an amount equal to seventy-five percent (75%) of the Secretary of HHS’ estimate (based on claims submitted not later than two (2) months after the end of the payment year) of the allowed charges for all such covered professional services furnished by the physician during the year, subject to certain caps. Hospital-based physicians do not qualify for such incentive payments. Physicians who practice in Health Professional Shortage Areas may be eligible for increased incentives.
Assistance to Colleges and Universities
The HITECH Act also provides for assistance to colleges and universities to establish or expand health informatics education programs, including certification, undergraduate and masters degree programs. Assistance may be provided to: (i) develop and revise curricula in medical health informatics and related disciplines; (ii) recruit and retain students; (iii) acquire and install equipment needed for instruction; and (iv) establish or enhance bridge programs in the health informatics fields between community colleges and universities. Priority for such assistance will go first to existing education and training programs and then to programs designed to be completed in less than six (6) months.
The HITECH Act also provides grants to fund demonstration programs to develop academic curricula integrating certified EHR technology in the clinical education of health professionals, which will be awarded on a competitive basis and pursuant to peer review. In order to qualify, an entity must be: (i) a school of medicine, osteopathic medicine, dentistry, or pharmacy, a graduate program in behavioral or mental health, or any other graduate health professions school; (ii) a graduate school of nursing or physician assistant studies; (iii) a consortium of schools described in (i) or (iii) above; or (iv) an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing or physician assistance studies.
Business Associates under HIPAA
The HIPAA privacy and security standards, including the penalties for wrongful use and disclosure of health information, will apply directly to business associates under the HITECH Act. A business associate is a person to whom a health care provider, plan, or clearinghouse discloses individually identifiable health information, so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Although this term does not include a covered entity’s employees, it does include, among others, billing agents, auditors, third-party administrators, attorneys, accountants and consultants. Before the HITECH Act, a covered entity was required to obtain satisfactory assurance from a business associates regarding its intended use and disclosure of health information in the form of a business associate agreement. Now, the privacy and security standards will apply to business associates directly, as they do covered entities. It is anticipated that HHS will issue guidance through its rulemaking power on this matter within the next year.
Notice of Breach of Privacy/Security
The HITECH Act requires covered entities and business associates to notify affected individuals and HHS upon discovery of a breach of unsecured individually identifiable health information, where said information has been accessed, acquired, or disclosed as a result of such breach. Unsecured individually identifiable health information means that which is not secured using a technology that the Secretary of HHS will identify in future rulemaking. If such guidance is not issued by the Secretary within sixty (60) days of enactment, the term “unsecured” will mean individually identifiable health information not secured by a standard that renders it unusable, unreadable, or indecipherable to unauthorized individuals; and is recognized by a standard developing organization accredited by ANSI. If more than 500 individuals are affected by the breach, notice of same must be given to both the Secretary of HHS and prominent media outlets in the area. A log must be maintained of all breaches and submitted to HHS annually.
Access to Health Information and Accounting of Disclosures
If individually identifiable health information is maintained in an EHR, the individual who is the subject of the information has the right to receive an electronic copy.
An individual may request that disclosure of health information to his/her health plan not occur if it pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
Under the HITECH Act, individuals now have a right to receive an accounting of the disclosures of their EHR for the previous three (3) years, including disclosures to carry out treatment, payments and health care operations, categories of disclosures which were exempt from accounting requirements previously.
Other Privacy and Security Rule Modifications
The HITECH Act also: (i) increases the civil penalties for HIPAA violations and authorizes state attorney generals to prosecute offenses; (ii) prohibits covered entities from receiving payment for communicating with patients for marketing purposes (including fundraising) in the absence of a specific authorization to do so signed by the patient; and (iii) covered entities must limit use and disclosure of individually identifiable health information to a limited data set, or if needed, to the minimum necessary to accomplish the intended purpose of the use or disclosure.
Effective Date
In general, the effective date of the HITECH Act is one (1) year from enactment, February 17, 2010. It is important to note, however, particularly with respect to the HIPAA modifications, that the Secretary of HHS and other federal agencies are likely to begin promulgating regulations prior to the effective date.
If you have any questions regarding the HITECH Act and how it may impact your operations, please feel free to contact either the Chairperson of the Tallman, Hudders & Sorrentino, P.C. Health Care Practice Group, Matthew R. Sorrentino, Esq., or the author of this article, F. Peter Lehr, Esq., via telephone at (610) 391-1800, or by email at the addresses below.
Matthew R. Sorrentino, Esq. msorrentino@thslaw.com
F. Peter Lehr, Esq. plehr@thslaw.com
Please note that the purpose of this Health Law Update is to provide you with general information concerning the key provisions of the HITECH Act, and should not be considered or construed to be legal advice or opinion.
# # # # #