I’m pleased to be presenting at a seminar on Medical Records law together with my colleague, Phil Miles, on January 31, 2013 in Altoona, Pennsylvania. The law and regulations governing use, disclosure, storage, and security of medical records has significantly evolved over the past two years. I will be presenting updates regarding the HIPAA and HITECH Acts. Phil will be addressing Employers, Employees, and Medical Record Requests.
The complete agenda and registration are available here. We hope you can join us.
The Department of Health and Human Services (HHS), on September 14, 2011, announced proposed changes to regulations that implement the Clinical Laboratory Improvement Amendments (CLIA) and the Health Insurance Portability and Accountability Act (HIPAA). These proposed changes would broaden patient access to laboratory test reports and preempt current Pennsylvania law on this topic.
We previously wrote about a proposed Rule that modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to require an accounting of electronic disclosures of protected health information. The proposed Rule was open to comments until August 1 and has received much attention, with over 400 comments.
The Department of Health and Human Services has issued a proposed Rule modifying the Health Insurance Portability and Accountability (HIPAA) Act Privacy Rule to require an accounting of electronic disclosures of protected health information and extend its application to business associates.
The Health Information Technology for Economic and Clinical Health Act (HITECH) required the amendment of the Privacy Rule. Under the HITECH Act, health care providers must account for disclosures of protected health information through an electronic health record. The accounting for disclosures under traditional medical records has long been required.
Not only is HHS implementing the required HITECH accounting requirements, but it is also revising the accounting disclosure requirements. Specifically, the proposed Rule does not permit an individual to obtain a report of every access to their protected health information. Instead, they are entitled to an accounting of only those disclosures of their electronic health records. The Department believes that this will minimize the burden on health care providers.
Also consistent with the HITECH Act, HHS is broadening the accounting and disclosure requirements to business associates in its newly proposed Rule.
Health care providers and business associates should continue to monitor these new privacy-related developments.
On February 4, 2011, the Department of Health and Human Services (HHS) issued its first civil monetary penalty for HIPAA violations. The penalty was levied against Cignet Health Center of Prince George’s County, Maryland, and was substantial at $4.3 million dollars. Not only is the penalty notable because it may represent stepped up enforcement of HIPAA privacy provisions by HHS in the wake of the HITECH Act, but it also is the first penalty to implement the HITECH increased penalty amounts.
A key step in any provider’s electronic medical record (EMR) software purchase is the negotiation of the contract or software license agreement (SLA). Contract negotiation often gets passed over for more interesting and timely discussions like developments in the HITECH Act. However, it is every bit as important, especially with HITECH Act provisions making their way into many of the leading EHR vendors’ contracts.
Houston Neal of Software Advice recently contacted me about a guide they have developed for health care providers to manage the legalese of an SLA. In their report, they review five key sections of the SLA: user license, implementation, service obligations, hardware/interfaces, HITECH Act clauses.
Of course there are several other considerations and best practices to keep in mind. Here are some other helpful tips from their post:
- Have a lawyer and senior IT staff review software vendor agreements when possible.
- Review contract language frequently and avoid any ambiguous language.
- Make sure any verbal agreements are backed up by a paper trail.
- Document any “what if” fees. For example, troubleshooting support, late payment fees, system upgrades, etc.
- Make sure the contract includes a clause about security and HIPAA compliance.
- Ask for contract drafts in modifiable formats (e.g. Microsoft Word documents) rather than PDFs.
- Plan a dispute resolution process.
- Reserve the right to take vendor to court rather than submit to arbitration.
- Identify which state’s laws will be used in a dispute or arbitration.
The views, comments, and opinions of Mr. Neal within his article are his own and should not be construed to be those of Defense of Medicine, the authors of this blog, the McQuaide Blasko Law Offices or attorneys associated with the firm.
On October 19, 2010, Pennsylvania enacted new legislation requiring that hospitals and certain health care providers distribute educational materials relating to Sudden Infant Death Syndrome (SIDS). The Act is known as the Sudden Infant Death Syndrome Education and Prevention Program Act. According to the legislative findings, SIDS is the third most common cause of death among newborns in the first year of life, exceeded only by death secondary to congenital malformations and prematurity. The Act requires that the Pennsylvania Department of Health develop a SIDS public awareness program, including educational and instructional materials regarding SIDS. The Act obligates certain health care providers to distribute those materials and document the parents’ receipt of those materials. The presence of immunity provisions in the Act raise the question of whether health care providers who do not comply with the Act’s requirements may be held civilly liable for SIDS-related deaths.
In fulfillment of the HITECH Act’s promises of financial incentives for eligible professionals who use “certified electronic health record technology,” the Office of National Coordinator for Health Information Technology (ONC) has published a list of electronic health record products certified under the ONC’s temporary certification program. To qualify for financial incentive payments, health care providers must implement electronic health records that have been certified to fulfill published regulatory objectives. Health care providers must also become “meaningful users” of those electronic health records.
The meaningful use and certification definitions go hand-in-hand because the financial incentives are only available when electronic systems are implemented that meet regulatory objectives related to interoperability and tasks the systems are capable of performing. The ONC’s certification program and identification of certified electronic systems ensure that health care providers are adopting technologies capable of meeting those regulatory objectives. To become “meaningful users,” the providers must then implement those technologies in their patient care activities as frequently as the regulations require. Recovery of the available financial incentives further requires that the health care providers attest to the Centers for Medicare and Medicaid Services that they are “meaningful users”; those attestations begin in April 2011.
The publication of electronic systems certified to actually meet the “meaningful use” requirements is clearly the next step toward achievement of the HITECH Act’s goal of broadening standardized implementation of electronic health records. Health care providers should exercise diligence and caution when making the investment in electronic record technology to ensure that the chosen system is certified and that they implement it in accordance with the regulatory criteria required to qualify for financial incentives.
The Archives of Internal Medicine published a recent study of computerized physician order entry (CPOE) at the University of Pennsylvania that was halted due to unintended treatment delays associated with the CPOE system. The study reflects the desire to improve patient outcomes and reduce potential error through the use of electronic resources, but demonstrates that those resources must be carefully studied prior to implementation and monitored. The study and the ultimate result is particularly notable in the context of the transition to electronic health records and the necessary use of CPOE to constitute “meaningful use” to qualify for Medicare incentive payments.