HITECH Health Reform:Health IT Funding, HIPAA 2.0,

and the Impact of the HITECH Act

David G. SchoolcraftOgden Murphy Wallace, PLLC

dschoolcraft@omwlaw.com

Part I – Overview of the HITECH Act Part II – HIPAA 2.0

◦ Breach Notification Rule - Effective September 23, 2009

◦ Business Associate Agreements◦ Penalties & Enforcement◦ Timeline and Additional Privacy Requirements

Part III – Health IT Funding ◦ Billions in federal stimulus funding ◦ Complex payment methodologies for healthcare

providers◦ Open issues regarding “meaningful use” and “certified

electronic health record technology”

Presentation Outline

2

3

ARRA

HITECH* Act

Funding for

Health IT

HIPAA 2.0

Health IT Bureaucr

acy

Part I - HITECH Act Overview

*Health Information Technology for Economic and Clinical Health Act

The Policy PicturePeter Orszag, Director OMB

“The US must move towards a higher-quality, lower-cost system in which best

practices are universal…The administration has therefore put forward initiatives such as

health IT…”4

Part IIHIPAA 2.0

New Compliance Obligations and

More Regulations to Come

6

“A covered entity shall, following discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach.”

- 45 CFR §164.404(a)(1)

HIPAA Breach Notification Rule

7

Is there a breach?

1. Violation of the Privacy Rule

2. Significant Risk of Harm

A. Is There a Breach?

8

Harm Threshold◦ Incident must impose a “significant risk of

financial, reputational or other harm to the individual.”

Fact Specific Analysis◦ What is the nature of the information?◦ To whom was the information disclosed?◦ Mitigation efforts matter

Significant Risk of Harm

9

Was data “unusable, unreadable, or indecipherable to unauthorized individuals”?

Safe Harbor Standards: ◦ National Institute of Standards and Technology

(NIST) publications: 800-111 (Encryption) 800-52 (Transport Layer Security) 800-77 and 800-113(VPNs) 800-88 (Guidelines for Media Sanitation)

◦ NIST publications available at www.csrc.nist.gov

B. Was PHI “unsecured”?

10

60 day shot-clock from date of discovery Without “unreasonable delay”

Timeliness of Notice

Oct. 1

Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd

Stolen laptop

becomes known

to CE

Laptop is

stolen

Notification Deadline

60 daysFailure to provide

notification within 60 days may lead to

violation

11

What if a business associate is involved?Timeliness of Notice

Oct. 1Oct. 1st Oct. 3rd Nov. 1st Dec. 2nd Dec. 30th

Stolen laptop

becomes known

to BA

Laptop is

stolen from BA

BA notifies

CE

Notification Deadline

(if BA is independe

nt contractor)

Notification Deadline

(if BA is agent)

60 days

60 days

Failure to provide notification within 60

days may lead to violation

12

Brief description of what happened◦ Date of breach◦ Date of discovery of breach

Description of the types of PHI disclosed Steps individual should take to protect him/herself Description of what covered entity is doing to:

◦ Investigate breach◦ Mitigate harm to individuals - i.e. provide fraud insurance,

suggest that individual contact credit bureau or credit care company

◦ Protect from further breaches Contact procedures--Toll free number, website or postal

address

Content of Notice to Individuals

13

Media Notice - Required if Over 500 Individuals◦ Supplemental to written notice; must still provide

individual notice◦ Prominent media outlets serving a state or

jurisdiction◦ Contains the same content as written notice

Notice to HHS◦ Over 500 individuals - notice required within 60

days◦ Less than 500 then CE maintains a log and reports

all breaches within 60 days after calendar year using HHS form

Additional Notice Recipients

14

Implementation of Policies & Procedures Train workforce members Risk assessment regarding “unsecured” data Maintenance of breach log for reporting to HHS Effective September 23, 2009 but HHS to

exercise enforcement discretion to February 22, 2010

HIPAA Breach Notification Rule Administrative Requirements

Application of certain HIPAA Security Standards◦ Administrative Safeguards◦ Physician Safeguards◦ Technical Safeguards◦ Documentation Requirements

Application of certain HIPAA Privacy Standards◦ 45 CFR Section 164.504(e) and new HITECH

provisions Subject to same civil and criminal penalties

as covered entities

Business Associates

15

Must Business Associate Agreements be modified?

Ambiguous terms in HITECH Act:◦ “The additional requirements of this title that relate

to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” - Sec. 13401; parallel provision at Sec. 13404 for privacy standards

HHS: Guidance to be issued this Fall

Business Associate Agreements

16

Update forms and new agreements to include HITECH Act requirements for business associates under Section 13401(a) and 13404(a) of the Act

Revise notification requirements in light of new breach notification rules

Consider indemnity provisions related to costs of breach notification caused by business associate.

Monitor HHS guidance and implement any additional changes for new (and potentially existing) business associate arrangements

Business Associate Agreements:Next Steps

17

18

Expansion of criminal and civil penalties Tiered penalties depending on the nature of

the violation Periodic audits by HHS State Attorney General may bring civil

actions provided no federal action pending Victims may receive percentage of civil

penalties (starting in 2012)

Penalties and Enforcement

HIPAA 2.0 Timeline Feb. 2009 Increased penalties Enforcement by State

Attorney General

Sept. 2009 Data Breach Notification Requirements

Fall 2009 HHS Issues Guidance Regarding Business Associate Agreements

Feb. 2010 New Rules for Business Associates

Revised Marketing and Fundraising Rules

June 2010 HHS to Issue Regulations for Accounting of Disclosures

Jan. 2011 Accounting of Disclosures for adopters of EHR after 1/1/2009

Jan. 2014 Accounting of Disclosures for EHR adopters before 1/1/2009

19

Part III Health IT Funding

2004-2008 2009-2015*$0

$10

$20

$30

$40

$50

$60

$0.68

$50.39

Scope of Health IT FundingIn billions of dollars

*Estimated, includes incentive payments

21

HIE Planning & Development

Planning Grants

State Designated Entity

States

Implementation Grants

EHR Adoption Loan Program

Loan Funds

Indian Tribes

Health Care Providers

Health IT Extension Program

Regional Extension Centers

Nonprofits

Least Advantaged Providers

Health IT Research Center

Appropriated Funds

22

Additional funds available for Workforce

Training Grants and New

Technology Research &

Development Grants

Contact:Washington State Health Care Authority

Medicare Payment Incentives

Incentive Payments through Carriers

Hospitals

Physicians Medicare up to $44,000Medicaid up to $63,750

Medicaid Payment Incentives10%+ of Patients

Incentive Payments through State Agencies

Nurse Practitioners & Midwives

FQHC

Incentive Funds

23

Incentive payments decrease starting in 2013Penalties (lower reimbursements) starting in 2015

Medicare Incentive Payments forPhysicians

Meaningful EHR User

FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 Total

FY 2011 $ 18,000 $ 12,000 $ 8,000 $ 4,000 $ 2,000 $ 44,000 FY 2012 $ 18,000 $ 12,000 $ 8,000 $ 4,000 $ 2,000 $ 44,000 FY 2013 $ 15,000 $ 12,000 $ 8,000 $ 4,000 $ 39,000 FY 2014 $ 12,000 $ 8,000 $ 4,000 $ 24,000

AfterFY 2015

1% 2% 3%

Hospitals may be able to collect incentive payments for certain employed physicians, but note that “hospital-based” physicians are excluded

Medicare Incentive Payments forPhysicians

Excluded Physicians

Pathologists

Anesthesiologists

Emergency Physicians

Washington Grace Hospital = 80 beds◦ 4 Employed Physicians – Medicare ($44,000)

Scope of Incentive Funds – Example

Estimates based on certain factual assumptions. Subject to revision under final HHS regulations.

Demonstrate to the “satisfaction of the Secretary” use of certified EHR in a meaningful manner

Certified EHR technology must be connected to provide for the electronic exchange of health information to improve the quality of care

Hospitals to submit information on clinical quality and other measures as selected by the Secretary

“Meaningful Use”

27

Office of the National

Coordinator

HIT Policy Committee

HIT Standards Committee

Public Comments

• Over 800 received CMS

“Meaningful Use”- Policy Process

28

“Meaningful Use” – Timeline2009 2011 2013 2015

Phased HIT-Enabled Health Reform

HITECH Policies

HHS to define terms and issue

regulations

Capture/Share Data

Incentive Payments

Advanced care processes with

decision support

Improved Outcomes

Penalties

29

Proposed Definition of HHS Certification◦ HHS Certification means that a system is able to achieve

the minimum government requirements for security, privacy, and interoperability, and that the system is able to produce the Meaningful Use results that the government expects.

◦ HHS Certification is not intended to be viewed as a “seal of approval” or an indication of the benefits of one system over another.

December 31, 2009 deadline for initial standards, implementation specs and certification criteria

“Certified EHR Technology”

30

Careful review of information technology transactions – from due diligence during system selection through contracting

Ensure that all information technology transactions are HITECH ready◦ Vendor/service provider commitment regarding

data security and accounting of disclosure requirements

◦ Updated Business Associate Agreement◦ Functionality necessary to obtain or maintain

“certified EHR“ status and to facilitate “meaningful use”

Technology Transaction Review

31

Additional Resources HHS and the Office of the National Coordinator

for Health Information Technology (ONCHIT) for development of standards for “certified EHRs” and “meaningful use”

http://healthit.hhs.gov/ Washington State Health Care Authority

regarding grants and other “appropriated funds”

http://www.hca.wa.gov/arra.html

32

Questions?David G. Schoolcraft

dschoolcraft@omwlaw.com206.447.7211

Health Law Blog: www.omwhealthlaw.com

34

APPENDIX

35

HITECH Act contains additional statutory exceptions to definition of “breach”. ◦ Unintentional use or disclosure to workforce member if

use or disclosure was made in good faith and did not result in further use or disclosure

◦ Inadvertent disclosure from an individual authorized to access the records to another similarly situated individual

◦ Unauthorized person could not have reasonably retained the information.

◦ Limited data set excluding Date of Birth and Zip Codes

Breach Definition Statutory Exceptions

Violation when Person “Did Not Know”

$100/violation$25,000 Max

Violation due to Reasonable Cause

$1,000/violation$100,000 Max

Willful Neglect Corrected

$10,000/violation$250,000 Max

Willful NeglectNot Corrected

$50,000/violation$1,500,000 max

Increased Civil Penalties

36

HHS shall base the penalty determination on the nature & extent of the violation and the nature & extent of the resulting harm.

Effective for all violations after Feb. 17, 2009

Hospitals($2 MM + $200 (Discharges 1,150th - 23,000th)) * Medicare Share (%)*

Transition Factor Total Discharges Medicare Inpatient Days Charity Care

Critical Access Hospitals101% * Reasonable Cost of EHR System * (Medicare Share

% + 20%) Costs of EHR System Medicare Inpatient Days Charity Care

Medicare Funds - Formulas & Key Factors

37

Medicare Share

Medicare Share

Washington Grace CAH – 25 beds

Medicare Incentive Payments – CAH Example

Total Discharges 170 Medicare Patients 110Medicare Inpatient Days 260Total Inpatient Days 350Total Hospital Charges $ 8,500,000 Total Charity Care $120,000Annual Cost of EHR System

$350,000

Medicare Share 75% + 20% =

95%(20% increase for

CAH)

Total$1,348,24

2

Estimate of Incentive Payments*2011 2012 2013 2014

$337,060 $337,060 $337,060 $337,060Assumes costs remain the same over all four years

*Estimate based upon existing statute in advance of HHS rule making.

85% of the “net average allowable costs”◦ Capped at $25,000 in year 1◦ Capped at $10,000 for years 2-6

Pediatrician incentive reduced by 2/3rds unless Medicaid patient volume is 30%+

No initial payments after 2016 No subsequent payments after 2021

Eligible Professional:85% * $25,000 + 85% * 50,000 = $63,750

Pediatrician (20-29% Medicaid)85% * $25,000 * (2/3) + 85% * $50,000 * (2/3) = $42,500

Medicaid Incentive Payments forPhysicians

10% of “Patient Volume” on Medical Assistance◦ To be defined by Secretary of HHS◦ Inpatient vs. outpatient volumes

States allocate the money Year 1 – Demonstrate efforts to adopt,

implement or upgrade EHR system Years 2-6 – Demonstrate “meaningful use”

Medicaid Incentive Paymentsfor Hospitals