Document Sample
WRUG_Conference_Presentation_HITECH Powered By Docstoc
					                              Presented By: Darryl Low

Darryl Low Consulting   “Putting the Fun into your Functionality” – WRUG 2010 User Conference
      American Recovery and Reinvestment Act
          Improved Privacy & Security
          Civil Penalties
          Business Associates
          Breach and Reporting
      HITECH & Electronic Health Records
          Who Qualifies
          Meaningful Use
          EHR Certification
Darryl Low Consulting                          2
        Economic Stimulus Act of 2008
        Emergency Economic Stabilization Act of 2008
        House Bill, H.R. 1 – January 25th
        Senate Bill, S.1 – February 10th
        Conference Completed February 11th
        House and Senate Votes – February 13th
            House - 246-183 (no Republican Yes votes)
            Senate - 60-38 (3 Rep Yes votes)
        Signed into law on February 17th, 2009

Darryl Low Consulting                                   3
        To preserve and create jobs and promote economic
        To assist those most impacted by the recession.
        To provide investments needed to increase economic
        efficiency by spurring technological advances in science
        and health.
        To invest in transportation, environmental protection,
        and other infrastructure that will provide long-term
        economic benefits.
        To stabilize State and local government budgets, in order
        to minimize and avoid reductions in essential services
        and counterproductive state and local tax increases

Darryl Low Consulting                                               4
        $787 billion of investment
        Tax cuts for individuals
            Total: $237 billion
        Tax cuts for companies
            Total: $51 billion
            Total: $147.7 billion
            Total: $90.9 billion
        Aid to low income workers, unemployed and retirees
            Total: $82.5 billion

Darryl Low Consulting                                        5
    Provisions – Continued
        Infrastructure Investment
            Total: $80.9 billion
            Total: $61.3 billion
            Total: $12.7 billion
        Scientific Research
            Total: $8.9 billion
            $18.1 billion

Darryl Low Consulting               6
        Composition of the Act:
        Tax cuts - includes $15 B for Infrastructure and Science, $61 B for Protecting the Vulnerable, $25 B for Education and Training and $22 B for Energy, so
          total funds are $126 B for Infrastructure and Science, $142 B for Protecting the Vulnerable, $78 B for Education and Training, and $65 B for Energy.
        State and Local Fiscal Relief - Prevents state and local cuts to health and education programs and state and local tax increases.

Darryl Low Consulting                                                                                                                                              7
       Source: Xcenda

Darryl Low Consulting   8
    Subtitle A—Promotion of Health Information Technology
        Part 1—Improving Health Care Quality, Safety, and Efficiency
            Sec. 13101. ONCHIT; standards development and adoption.
            Sec. 13102. Technical amendment.
        Part 2—Application and Use of Adopted Health Information Technology Standards; Reports
            Sec. 13111. Coordination of Federal activities with adopted standards and implementation specifications.
            Sec. 13112. Application to private entities.
            Sec. 13113. Study and reports.
    Subtitle B—Testing of Health Information Technology
        Sec. 13201. National Institute for Standards and Technology testing.
        Sec. 13202. Research and development programs.
    Subtitle C—Grants and Loans Funding
        Sec. 13301. Grant, loan, and demonstration programs.
    Subtitle D—Privacy
        Sec. 13400. Definitions.
        Part 1—Improved Privacy Provisions and Security Provisions
            Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.
            Sec. 13402. Notification in the case of breach.
            Sec. 13403. Education on health information privacy.
            Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
            Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures;
            access to certain information in electronic format.
            Sec. 13406. Conditions on certain contacts as part of health care operations.
            Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.
            Sec. 13408. Business associate contracts required for certain entities.
            Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
            Sec. 13410. Improved enforcement.
            Sec. 13411. Audits.
        Part 2—Relationship to Other Laws; Regulatory References; Effective Date; Reports
            Sec. 13421. Relationship to other laws.
            Sec. 13422. Regulatory references.
            Sec. 13423. Effective date.
            Sec. 13424. Studies, reports, guidance.

Darryl Low Consulting                                                                                                                                          9
    Overview of the Sweeping Changes made by
    HITECH Act
        Increases civil monetary penalties (CMP’s) and makes
        some fines mandatory.
        Direct compliance obligations on Business Associates
        State Attorneys General have enforcement authority
        Breach Notification Requirements
        Revises minimum necessary standards

Darryl Low Consulting
A large breach of identifiable medical records and Social Security numbers prompts legal action.
By Joseph Goedert
Health Data Management Magazine, 03/01/2010
Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with
violations of the HIPAA privacy and security rules following a large breach of identifiable medical records and Social
Security numbers.
Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave
state attorneys general authority to prosecute HIPAA privacy and security violations.
Parent company Health Net in Los Angeles last November reported to insurance officials in four states the disappearance
in May of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The
data was not encrypted, but Health Net said it is invisible without the use of specific software. The company attributed the
delay in reporting the breach to a lengthy forensic investigation to determine what information was on the hard drive.
In the lawsuit, Blumenthal charges Health Net did not have adequate legal grounds to delay notifying members of the
breach and that the delay constituted an unfair trade practice under state law. "Under information and belief, no law
enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal
investigation and requested that the notification be delayed," according to the suit.
Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all
protected health information on portable electronic devices. He also seeks civil fines.
New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health
information. The rules were effective in September and had a compliance deadline of Feb. 22, 2010.
In a statement, Health Net said that protecting the privacy of its members is extremely important, adding that company
policy requires that data must be encrypted and secured. The company pledged to work cooperatively with the
Connecticut Attorney General.
"To date, Health Net has found no evidence that there has been any misuse of the data," the company said. It is offering
two years of free credit monitoring services for all impacted members. The service also includes $1 million of identity
theft insurance coverage and enrollment in fraud resolution services for two years.

Darryl Low Consulting                                                                                                          11
    Civil Monetary Penalties
        Previously $100/day or $25,000/year.
        New penalties, effective 2/17/09:
            Unwitting violations (i.e. did not know or have reason to
            know), $100 per violation and up to $25,000 per year.
            Violations due to “reasonable cause and not to willful
            neglect”, $1,000 per violation and up to $100,000 per year.

Darryl Low Consulting
    New penalties, effective 2/17/09 (con’t)
        Violations due to “willful neglect” that are corrected,
        $10,000 per violation and up to $250,000 per year.
        Violations due to “willful neglect” that remain
        uncorrected, $50,000 per violation and up to $1.5
        million per year.
        Corrective Action still available, but limited. Some
        mandatory CMP’s.
        Individual employee civil and criminal liability.

Darryl Low Consulting
    Changes Affecting Business Associates
        Business Associates are now directly responsible
        under HIPAA for many aspects of HIPAA compliance
        Civil monetary and criminal penalties are directly
        applicable to Business Associates
        If the Business Associate knows of a pattern or
        practice of breach by the Covered Entity, it must take
        reasonable steps to cure or terminate the contract, if
        feasible, and if not feasible, report the problem to
        Need to review and revise your BAAs
Darryl Low Consulting
    Privacy and Security Breach - Notification
        Mandatory Breach Notification

Darryl Low Consulting
    Breach – What is a breach?
        Unauthorized acquisition, access, use or disclosure of
        PHI which compromises the security or privacy of
        such information, except where an unauthorized
        person to whom such information is disclosed would
        not reasonably have been able to retain such

Darryl Low Consulting
        Unintentional acquisition, access, or use by an
        employee or individual acting under authority of a
        covered entity if it was made in good faith and within
        the course and scope of employment
        Inadvertent disclosures from an individual who is
        otherwise authorized to access PHI to another
        similarly situated individual at the same facility, as
        long as it is not further used or disclosed in violation
        of the Privacy Rule.
        Situations where the unauthorized person to whom
        PHI has been disclosed would not reasonably have
        been able to retain the information.
Darryl Low Consulting
    Breach Notification Requirements Only apply to
    “unsecured” PHI. (i.e. Safe Harbor)
        Guidance published April 17, 2009
    Document your analysis and investigation of
    whether a breach occurred and whether
    notification is required. Keep logs of all info.

Darryl Low Consulting
            No Notification;      No    Is the information PHI?
            Determine if Red
            Flag Rules or state
            breach notification
            laws apply

            No Notification;
            Determine if          No    Is the PHI unsecured?
            accounting and
            obligations under
                                               Is there an
            No Notification       No    acquisition, access, use
                                         or disclosure of PHI?


            No Notification;
            Determine if                  Does the impermissible
            accounting and               acquisition, access, use or
            mitigation                  disclosure compromise the
            obligations under           security or privacy of PHI?

            No Notification;
            Determine if
            accounting and              Does an exception apply?
            obligations under                                          Notification Required;
                                                                       Determine methods for
            HIPAA                                                      notification for affected
                                                   No                  individuals, the Secretary of
                                                                       HHS and, if necessary,

Darryl Low Consulting                                                                                  19
    Notification of Breach
        Within 60 days.
        If more than 500 people – notify media and Secretary
        of HHS.
            Secretary publishes list on HHS website.
        Substitute Notice if address unknown
            Website posting, toll-free phone number

Darryl Low Consulting
    New Guidance on Regulations
        Published August 24, 2009 in Federal Register
        Applies to breaches occurring on or after September
        23, 2009
        If the disclosure/access does not violate a Privacy
        Rule (ie security or privacy of the PHI), then it is not a
        Must pose a significant risk of financial, reputational,
        or other harm to the individual
        No sanctions to be imposed for failure to notify in the
        case of a breach until February 22, 2010.
Darryl Low Consulting
    Stay Tuned. . . .
        More regulations coming in 2010 – 2012.

Darryl Low Consulting
    SEC. 4001. Table of contents of title.
        Subtitle A—Medicare Incentives
            SEC. 4101. Incentives for eligible professionals.
            SEC. 4102. Incentives for hospitals.
            SEC. 4103. Treatment of payments and savings; implementation
            SEC. 4104. Studies and reports on health information technology.
        Subtitle B—Medicaid Incentives
            SEC. 4201. Medicaid provider HIT adoption and operation
            payments; implementation funding.
        Subtitle C—Miscellaneous Medicare Provisions
            SEC. 4301. Moratoria on certain Medicare regulations.
            SEC. 4302. Long-term care hospital technical corrections.

Darryl Low Consulting                                                      23
    To take maximum advantage of the incentives,
    eligible providers will need to be ready by
    calendar year 2011 and hospitals will need to be
    ready by FY 2011 (beginning October 1, 2010)

Darryl Low Consulting
    Reimbursement incentives under the new ARRA
    stimulus law to eligible professionals (EPs) and
    eligible hospitals
    To be eligible for Medicaid incentives, eligible
    providers and hospitals must meet a Medicaid
    patient volume requirement where a defined
    percentage of all encounters during the
    reporting period are Medicaid encounters

Darryl Low Consulting
    Medicare – A physician as defined in section
    1861(r) of the Social Security Act, which includes
    the following five types of professionals:
        Doctor of medicine or osteopathy
        Doctor of dental surgery or medicine
        Doctor of podiatric medicine
        Doctor of optometry

    NOTE: All Medicare EPs must be non-hospital

Darryl Low Consulting
        Certified nurse-midwives
        Nurse practitioners
        Physician assistants who are practicing in Federally
        Qualified Health Centers or Rural Health Clinics led by a
        physician assistant

    All Medicaid EPs must be non-hospital based
    EXCEPT for EPs practicing predominantly in an
    FQHC or RHC
Darryl Low Consulting
    A qualified non-hospital-based provider will be
    reimbursed for the costs of implementing HIT
    Must meet the meaningful use test and
    implement approved systems
    Payments are made over a five-year period
    Maximum EHR implementation reimbursement
    available to an individual provider under
    Medicare is $44,000, unless you are in a Health
    Professional Shortage Area, in which case
    payments would be increased 10 percent (most
    I/T/U sites are in a HPSA)
Darryl Low Consulting
    Medicare Incentives
        Sec. 4101 Incentives for eligible professionals
            First year (if beginning in 2011 or 2012) $18,000
            (if First Year is after 2012) $15,000
            Second year $12,000
            Third year $8,000
            Fourth year $4,000
            Fifth year $2,000

Darryl Low Consulting
    Eligible professionals qualifying under ARRA’s
    Medicaid reimbursement provisions may get up to
    $75,000 to help with EHR implementation.
        First year reimbursement could be as much as $25,000
        with up to $10,000 per year for the next five years.
    Must meet the meaningful use test and use
    certified EHR products to qualify.
    Must meet Medicaid patient volume requirements.
    May elect to be reimbursed by Medicare or
    Medicaid, but not both. Medicaid providers are
    required to waive Medicare EHR Incentive
Darryl Low Consulting
    Incentives for up to 85% of costs for EHR
        Caps: 1st year payment at $25,000
        Caps: following years at $10,000/year
            1st yr cost no later than 2016
            No payments made after 2021 or more than 5 years
    Costs Include:
        Support & training
        Engaging in efforts to adopt, implement…
        Maintenance & use

Darryl Low Consulting
Medicare Incentive Payments -                                     75% add-on to fee schedule payments

             Maximum Medicare Incentive Payments
  2011        2012       2013       2014      2015       2016       Total                 Penalty for failure to
  $18,000     $12,000     $8,000     $4,000    $2,000        $0     $44,000               implement by FY15 –>
        -     $18,000    $12,000     $8,000    $4,000    $2,000     $44,000               reduction of
        -           -    $15,000    $12,000    $8,000    $4,000     $39,000               reimbursements by 1% in
        -           -          -    $12,000    $8,000    $4,000     $24,000               2015, 2% in 2016, etc..

Medicaid Incentive Payments -                                     (requires Medicaid share of 30+ %)

                             Maximum Medicaid Incentive Payments
 receive       2011       2012       2013      2014       2015         2016     2017         2018      Total
Medicare       $25,000    $10,000   $10,000    $10,000    $10,000          $0        $0          $0    $65,000      Not to
   OR                -    $25,000   $10,000    $10,000    $10,000     $10,000        $0          $0    $65,000      exceed
Medicaid             -          -   $25,000    $10,000    $10,000     $10,000   $10,000          $0    $65,000      $63,750
Incentives           -          -         -    $25,000    $10,000     $10,000   $10,000     $10,000    $65,000
                     -          -         -          -    $25,000     $10,000   $10,000     $10,000    $55,000
                     -          -         -          -          -     $25,000   $10,000     $10,000    $45,000

Darryl Low Consulting
    ARRA authorizes the Centers for Medicare &
    Medicaid Services (CMS) to provide
    reimbursement incentives for eligible
    professionals and hospitals who both adopt
    certified EHR technology and demonstrate
    “meaningful use” of the technology.

Darryl Low Consulting
                        Data          processes
                        and sharing

Darryl Low Consulting                                        35
    2011 Goal –
        To electronically capture health record data in coded
        To report health information
        To use that information to track clinical conditions.
    2013 Goal – To guide and support care
    processes and care coordination.
    2015 Goal – To achieve and improve
    performance and support care processes and
    key health system outcomes.
Darryl Low Consulting
    Requirements for meeting Meaningful Use will
    increase over time
    Incentives run 2011-2015 and penalties begin in
     2009                  2011               2013             2015             >2015
                                              Second                           Penalties for
                        First definition                    Third definition
 Preparation                                definition of
                            of MU                               of MU          not meeting
   for MU                                    MU (new
                        (requirements)                      (requirements)         MU

                            First             Second            Final
                        incentives for     incentives for   incentives for
                             MU                 MU               MU

Darryl Low Consulting
   Meaningful Use Objectives                              Corresponding EHR Software Features                                          Meaningful Use Measures
Use Computer Provider Order Entry            Enable a user to electronically record, store, retrieve, and manage, at a      CPOE is used for at least 80% of all orders; 10% for
(CPOE)                                       minimum, the following order types: Medications; Laboratory;                   hospitals
                                             Radiology/imaging; Provider referrals; Blood bank; Physical therapy;
                                             Occupational therapy; Respiratory therapy; Rehabilitation therapy;
                                             Dialysis; Provider consults; and Discharge and transfer.

Implement drug/allergy checks                (1) Real-time, alerts at the point of care for drug-drug and drug-allergy
                                             contraindications; (2) Electronically check if drugs are in a formulary or
                                             preferred drug list; (3) Provide certain users rights to deactivate, modify,   Function is enabled
                                             and add rules for drug-drug and drug-allergy checking; (4) Track number
                                             of alerts users respond to

Maintain an up-to-date problem list of       Electronically record, modify, and retrieve a patient’s problem list over      At least 80% of all unique patients have at least one
current and active diagnoses based on        multiple visits                                                                entry or an indication of none recorded.

E-prescribing (EP only)                      Electronically transmit prescriptions                                          At least 75% of all permissible prescriptions written
                                                                                                                            by the EP are transmitted electronically

Maintain active medication/allergy list      Electronically record, modify, and retrieve a patient’s active                 At least 80% of all unique patients have at least one
                                             medication/allergy list                                                        entry or an indication of “none”

Record demographics                          Electronically record, modify, and retrieve patient demographic data           At least 80% of all unique patients have
                                                                                                                            demographics recorded

Record and chart changes in vital signs      (1) Enable a user to electronically record, modify, and retrieve a patient’s   For at least 80 percent of all unique patients age 2
                                             vital signs; (2) Automatically calculate and display body mass index           and over seen by the EP or admitted to the eligible
                                             (BMI); (3) Plot and electronically display, upon request, growth charts for    hospital, record blood pressure and BMI; additionally,
                                             patients 2-20 years old.                                                       plot growth chart for children age 2 to 20

Incorporate clinical lab-test results into   (1) Electronically receive clinical laboratory test results and display such At least 50% of all clinical lab tests results are
EHR as structured data                       results in human readable format; (2) Electronically display in human        incorporated as structured data
                                             readable format any clinical laboratory tests that have been received
                                             with LOINC® codes; (3) Electronically display all the information for a test
                                             report; (4) Electronically update a patient's record based upon received
                                             laboratory test results

Darryl Low Consulting                                                                                                                                                                38
    ONC’s latest definition of certified EHR
        A Complete EHR or a combination of EHR Modules,
        each of which
            meets the requirements included in the definition of a
            Qualified EHR; and
            has been tested and certified in accordance with the
            certification program established by the National
            Coordinator as having met all applicable certification criteria
            adopted by the [ONC].”

Darryl Low Consulting                                                    39
    Software certification criteria derived directly
    from objectives and measurements
        Modular Certification
        Visit Summary/Charting Criteria Removed
        Does not require “EMR”
            Computerized Physician Order Entry
            Decision Support
            Member Web Portal

Darryl Low Consulting                                  40
    What body will be doing the certifying?
        ONC Notice of Proposed Rulemaking (NPRM)
            Temporary Certification Program to Achieve Deadlines
            Permanent Certification Program
               Separates functions performing testing and certification
               Introduce accreditation requirements
               Establish requirements for certification bodies
    Who will enforce the meaningful use measures?
        Measures are clearly defined
        Enforcement is not

Darryl Low Consulting                                                     41

Darryl Low Consulting                                       42

Shared By: