Health Information Technology and HIPAA under the American Recovery and Reinvestment Act of 2009 (the Stimulus Act)February 23, 2009
On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009, otherwise known as the Stimulus Act (the Act). The Act contains provisions that give the federal government the leading role in establishing standards for the use and exchange of electronic health information and creates financial incentives for health care providers to use health information technology.
The Act also contains provisions that will bring about significant changes to the security and privacy standards ("Security and Privacy Rules") promulgated under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Collectively, these provisions will change the regulatory landscape in which those using and disclosing protected health information - namely covered entities and business associates - operate.
We provide you with this summary of the Act's provisions on health information technology and HIPAA.
Health Information Technology
The Congressional Budget Office estimates the total outlay for health information technology under the Act will exceed $22 billion.
The Act's stated goal is a qualified electronic health record (as defined below) for each person in the United States by 2014. The initial burden of this effort will be borne by those responsible for setting the standards, specifications, and certification criteria that will define the certified EHR technology to be supported by Federal funding under the Act. We expect that major technology investments may be slowed in the near term until those standards can be established.
The financial incentives to physicians and hospitals to adopt certified EHR technology are substantial, but to receive the incentives, physicians and hospitals must demonstrate that they are meaningful EHR users of the technology. This will require changes in long established practice patterns. How effective the incentives will be in changing these patterns quickly remains to be seen.
1. Office of the National Coordinator
The Act establishes by statute the Office of the National Coordinator for Health Information Technology within the Department of Health and Human Services, an office previously created by order of President George W. Bush, and provides $1.98 billion for its activities under the Act. The National Coordinator is appointed by and reports to the Secretary of HHS.
The duties of the National Coordinator focus on the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information. The National Coordinator is tasked with maintaining and updating the Federal Health IT Strategic Plan, initially developed last year.
The Act establishes the Health Information Technology (HIT) Policy Committee that will make policy recommendations to the National Coordinator relating to the implementation of a nationwide HIT infrastructure. The Act establishes the HIT Standards Committee that will recommend to the National Coordinator standards, implementation specifications, and certification criteria for the electronic exchange and use of health information. The National Coordinator will review and endorse the standards, implementation specifications, and certification criteria recommended to the Coordinator and forward them to the Secretary.
2. Certified EHR Technology
The Secretary will adopt by rule the standards, implementation specifications, and certification criteria for technologies that: protect privacy; enable the electronic use and exchange of health information; enable a certified health record for each person in the United States by 2014; account for disclosures made by a covered entity for purposes of treatment, payment, and health care operations; promote coordination of care, reduction of errors and health care disparities and chronic disease, and advances research; allow individually identifiable health information to be rendered unusable and indecipherable when transmitted electronically or carried outside of a secured area; ensure the collection of patient demographic data; and address the needs of children and other vulnerable populations.
"Certified EHR Technology" is EHR technology for Qualified Electronic Health Records that meets these standards, implementation specifications, and certification criteria.
A "Qualified Electronic Health Record" is an electronic record of health-related information on an individual that:
- includes patient demographic and clinical health information, such as medical history and problem lists; and
- has the capacity to
(i) provide clinical decision support;
(ii) support physician order entry;
(iii) capture and query information relevant to health care quality; and
(iv) exchange electronic health information with, and integrate such information from, other sources.
3. Required Provisions in Federal Contracts
The Act requires that each agency that administers or sponsors federal government health care programs include in its agreements with health care providers, health plans, and health insurers a provision that as the provider, plan, or insurer acquires, or upgrades health information technology systems, it must utilize, where available, health information technology systems and products that meet the standards and implementation specifications adopted by the Secretary under the Act.
4. Medicare Incentives for Physicians
Each physician who is a "meaningful EHR user" with respect to covered professional services furnished during a payment year will receive (or the physician's practice group will receive) an incentive payment with respect to that payment year an amount not exceeding $15,000 for the first payment year ($18,000 if the first payment year is 2011 or 2012), $12,000 for the second payment year, $8,000 for the third payment year, $4,000 for the fourth payment year, and $2,000 for the fifth payment year. However, if the first payment year is after 2013, then the amount for such payment year is $12,000 if for 2014, $8,000 if for 2015, and $4,000 if for 2016. These incentive payments will be increased by 10% for physicians who predominantly furnish services in health professional shortage areas.
No incentive payments will be made if the first year a physician makes meaningful use of certified EHR is after 2014, nor for years after 2016. Also, no incentive payments will be made for hospital-based physicians, such as pathologists, anesthesiologists, or emergency physicians who furnish substantially all of their services in a hospital setting, because such physicians are presumed to be using the hospital based EHR.
"Meaningful EHR users" are those physicians:
(i) who demonstrate that during the payment period, the physician is using certified EHR technology in a meaningful manner, including the use of electronic prescribing and the submission of claims with appropriate coding (such as a code indicating that a patient encounter was documented using certified EHR technology);
(ii) whose certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination; and
(iii) who use certified EHR technology to submit information for the reporting period on clinical quality measures selected by the Secretary.
The Act requires the Secretary to post the names, business addresses, and business phone numbers of the physicians who are meaningful EHR users and of the group practices receiving incentive payments on their behalf.
As a penalty for failure to use certified EHR technology, the Medicare fee schedule amount for services provided by physicians who are not meaningful EHR users during 2015 will be reduced to 99%, to 98% for 2016, and 97% for 2017. The Secretary has authority to further reduce the fee schedule after 2018, depending on the percentage of physicians who are meaningful EHR users at that time, and has authority to exempt physicians based on hardship, such as a rural location without sufficient internet access. Again, hospital based physicians are not subject to the penalty provisions.
Special provisions apply these concepts to qualifying Medicare Advantage organizations. Also, a physician who is eligible for maximum incentive payment described above will not receive additional payments as an MA physician, thus avoiding duplication.
5. Medicare Incentives for Hospitals
With respect to hospital inpatient services furnished by a hospital that is a meaningful EHR user during a reporting year, the hospital will receive an incentive payment from Medicare equal to the hospital's "Medicare Share" times the sum of the hospital's "Base Amount" plus the hospital's "Discharge Related Amount" for the reporting year.
A hospital's Medicare Share is a fraction the numerator of which is its estimated number of inpatient-bed days paid for by Medicare Part A and paid with respect to a Medicare Advantage organization under Part C. Its denominator is the hospital's estimated total number of inpatient-bed days during the reporting period multiplied by its estimated total charges during such period reduced by any charges that are attributable to charity care, divided by its total charges during such period.
A hospital's Base Amount is set at $2,000,000.
A hospital's Discharge Related Amount for a reporting period is $200 for each discharge (estimated based upon total discharges for the hospital regardless of any source of payment), beginning with the 1,150th discharge and ending with the 23,000th discharge.
This hospital incentive payment will be reduced for the second reporting period to 75% of what it would have been had it been for the first reporting period, the third reporting period to 50%, and the fourth reporting period to 25%. However, if a hospital's first reporting period as a meaningful EHR user is after 2013, then its incentive payment for that period will be reduced to what it would have been had its first reporting period been in 2013. If the hospital's first reporting period is after 2015, it will receive no incentive payments.
A hospital's meaningful use of EHR is demonstrated in the same manner as is a physician's use, as described above, as further specified by the Secretary.
The list of names of the hospitals that are meaningful EHR users will be posted on the CMS website.
The Act contains separate rules for incentive payments to critical access hospitals (CAH).
As a penalty for failure to use certified EHR technology, the Act provides a reduction in the market basket adjustment for each fiscal year beginning in 2015 that a hospital is not a meaningful EHR user, beginning with a one-third reduction and ending with a 100% reduction for 2017 and each year thereafter that the hospital is not a meaningful EHR user. Again, special rules apply to CAHs.
Special rules also apply to Medicare Advantage affiliated hospitals, and to avoid duplication of incentive payments to such hospitals.
6. Medicaid Incentives
The Act provides Medicaid incentives for the adoption of certified EHR technology based upon the provider's involvement in the Medicaid program or other care of the uninsured and low-income populations. Eligible professionals include physicians, dentists, certified nurse mid-wives, nurse practitioners, and physician assistants in a rural health clinic. The Act also provides expanded funding to pediatricians with minimum patient volume attributable to patients receiving Medicaid assistance, federally qualified health clinics, and rural health clinics. The Act requires coordination of payment with Medicare payments to assure that incentive payments are not duplicated.
7. Implementation Assistance
The Act requires the Secretary, through the National Coordinator, to establish a health information technology extension program to provide assistance services, using the expertise of the National Institute of Standards and Technology in developing the program.
The Secretary will establish a research center to recognize best practices and to accelerate efforts to adopt and utilize health information technology.
The Secretary will provide assistance for the creation and support of regional centers to provide assistance and disseminate best practices. These centers may be affiliated with any nonprofit organization that applies and is awarded financial assistance under the Act, and the financial support must be matched dollar for dollar from other sources.
8. Grants to States and State-Designated Entities
The Act provides for the establishment of a program of planning grants and implementation grants to a State, or to a qualified State-designated entity to conduct activities that will facilitate and expand the electronic movement and use of health information among organizations according to nationally recognized standards. Among the activities to be funded are those that promote the use of electronic health records for quality improvement including quality measures reporting. Qualified State-designated entities include those with broad stakeholder representation on its governing board and that have as one of their principal goals the use of information technology to improve health care quality and efficiency. These grants require a non-Federal match of $1 for each $10 of Federal funds during 2011, with greater non-Federal matches in later years.
9. Loan Programs
The Act gives the National Coordinator authority to award competitive grants to States and Indian tribes to help establish EHR technology loan funds to assist in the purchase of certified EHR technology, enhance its utilization, including costs associated with upgrading existing systems to conform to certified EHR specifications, train personnel, and improve the secure electronic exchange of health information. The funds may be paid out as loans with repayment obligations not exceeding market rates, and may be used to guarantee a provider's loan obligations to improve credit market access or reduce the interest rate that otherwise would apply. Grant awards must be matched with $1 of non-Federal funds for each $5 of Federal award.
10. Grants for Health Technology Training
The Secretary may award competitive grants to medical academic institutions for the development of academic curricula for integrating certified EHR into the clinical education of health professionals, and may award grants to establish or expand medical health informatics education programs.
11. Next Steps
Physician group practices and hospitals that now have EHR technology should be working with their physicians and other medical personnel to fully incorporate the technology into their practice patterns, so that they will be able to meet the requirements of meaningful EHR users when those requirements are established by the Secretary. Practices and hospitals without EHR technology should be preparing for the acquisition of systems to meet the standards for certified EHR technology when they are issued.
A number of states, including Wisconsin, have organizations with broad stakeholder participation that are focused, among other goals, on the use of information technology to improve health care quality and efficiency and reporting on the same. They should be working with their states to obtain state certification to enable them to obtain grants from the National Coordinator to further their work.
State and Indian Tribes should be preparing plans for the establishment of loan programs to help organizations acquire, upgrade, and train personnel in the use of certified EHR technology, to qualify for Federal grants to fund such programs.
The following paragraphs summarize the key provisions of the Act that affect the Security and Privacy Rules under HIPAA and provide an initial assessment of their impact on covered entities and business associates.
1. Extension of HIPAA's Security and Privacy Rules to Business Associates
Perhaps the most far reaching impact of the Act stems from a series of provisions that would extend the application of the main sections of the Security and Privacy Rules to business associates. Under current law, covered entities must enter into written agreements with their business associates before disclosing protected health information to the business associate. Such agreements, by contract, extend a limited number of provisions under the Security and Privacy Rules to business associates.
The Act, by operation of law, extends the main provisions of the Security and Privacy Rules to business associates, essentially converting business associates into covered entities. Under the Security Rule, this means that business associates must implement policies and procedures that establish administrative, physical and technical safeguards to preserve the integrity and confidentiality of electronic protected health information. Under the Privacy Rule, this means business associates will have direct responsibility for ensuring that its uses and disclosures of protected health information comply with the requirements of the Privacy Rule.
The Act also mandates that these additional requirements be incorporated into the parties' written agreements, thereby requiring covered entities and business associates to revise their agreements to comply with the Act.
Finally, business associates who fail to comply with the new requirements will be subject to the same civil and criminal penalties as covered entities.
These provisions are a significant departure from the current regulatory scheme in which business associates operate, i.e., no HIPAA obligations imposed directly on business associates and no civil and criminal penalties for violations of HIPAA by business associates.
2. Notification of Breaches of Information
In the event of a breach of an individual's "unsecured protected health information," the Act requires covered entities to notify each individual whose information has been breached. For a breach of "unsecured protected health information" under the control of a business associate, the business associate will be required to notify only the covered entity of the breach. If the breach of "unsecured protected health information" involves more than 500 individuals, covered entities also must notify prominent media outlets serving a particular area and the Secretary of the U.S. Department of Health and Human Services ("HHS"). HHS will also post on its internet website a list of covered entities involved in breaches of "unsecured protected health information" of more than 500 individuals. If the breach of "unsecured protected health information" involves fewer than 500 individuals, the covered entity must maintain a log of such breaches and annually submit it to HHS. The Act contains detailed requirements for the method of notice and the information that must be included in each notice.
Currently, covered entities and business associates have no obligations to notify individuals or HHS of breaches of protected health information, unless the notification would mitigate the harmful effects of an authorized disclosure. The new notice requirements could significantly increase the administrative costs and burdens for covered entities and business associates by requiring them to maintain a log of breaches and complete notification forms.
3. Restrictions on Disclosures of Protected Health Information
Under the Act, covered entities will be required to comply with an individual's request to restrict disclosures of protected health information to a health plan if the disclosure is for payment or health care operations purposes and the protected health information pertains solely to a health care item or service for which the individual paid out-of-pocket in full.
Under current law, individuals have a right to request that the covered entity restrict certain disclosures of protected health information, but covered entities are not required to honor the request.
4. Accounting of Disclosures of Protected Health Information in EHRs
The Act grants individuals a right to receive an accounting of disclosures of protected health information made for treatment, payment and health care operations purposes, if the disclosures are through an "electronic health record." The Secretary would be required to issue regulations on what information must be collected about each disclosure.
For covered entities currently using "electronic health records", the new accounting requirement would apply to disclosures made on or after January 1, 2014. For covered entities yet to acquire "electronic health records", the requirement would apply to disclosures made on or after January 1, 2011, or the date "electronic health records" are acquired, whichever is later.
Under current law, individuals have no right to an accounting of disclosures of protected health information for treatment, payment and health care operations purposes.
5. Expansion of Minimum Necessary Standard
The Act requires covered entities to limit the use, disclosure or request of protected health information to a "limited data set", if practicable, or, if needed, the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The Act clarifies that the entity disclosing the protected health information, as opposed to the requester of information, makes the minimum necessary determination. The Act further requires the Secretary to issue guidance on what constitutes minimum necessary. Until then, covered entities will be required to determine whether the disclosure of a "limited data set" would accomplish the purpose.
The Privacy Rule's exceptions to the minimum necessary rule, such as disclosures to or by a health care provider for the treatment of an individual, will continue to apply.
6. Revised Definition of Health Care Operations & Marketing
Currently, covered entities may use protected health information to undertake their own "health care operations" or disclose protected health information to other covered entities for use by the other covered entity's "health care operations" without an authorization signed by the individual.
The Act requires the Secretary to revise the definition of "health care operations" to eliminate those activities that can reasonably and efficiently be conducted with de-identified information or that should require authorization for the use or disclosure of protected health information.
The Act further eliminates from the definition of "health care operations" communications made by a covered entity or business associate about health care related products or services, if the covered entity or business associate making the communication receives "direct or indirect remuneration" for making the communication. Furthermore, the Act adds a new provision prohibiting a covered entity or business associate from receiving direct or indirect payment for marketing a health care related product or service without first obtaining the recipient's authorization.
Finally, the Act prohibits covered entities from using protected health information for fundraising purposes unless the written fundraising communication provides the recipient with an opportunity to opt out of future fundraising communications.
7. Business Associate Agreements Required for Certain Organizations
The Act expands the category of "business associate" to include organizations that contract with covered entities for the purpose of exchanging protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization or E-prescribing Gateway. Such organizations must enter into business associate agreements with the covered entities before any protected health information may be exchanged.
8. Increased Enforcement and Penalties
The Act makes the following significant revisions to the enforcement and penalties provisions under HIPAA.
- Clarifies that covered entities, their employees as well as other individuals shall be subject to criminal penalties for obtaining or disclosing protected health information without authorization.
- Establishes a tiered system of civil monetary penalties, which includes varying increased penalties for unknowing violations; violations due to reasonable cause; and violations due to willful neglect.
- Requires that any civil monetary penalties collected be transferred to the Office of Civil Rights of the HHS to be used for enforcing the Security and Privacy Rules.
- Requires the Secretary to submit recommendations for giving a percentage of any civil monetary penalty collected to the individuals harmed, and based on those recommendations, establish regulations for distributing a percentage of any collected penalties.
- Authorizes the State Attorneys General to bring a civil action in federal district court against anyone who violates the Security and Privacy Rules to enjoin further violation or to obtain damages on behalf of individuals harmed.
- Requires the Secretary to perform periodic audits to ensure that covered entities and business associates are in compliance with the Security and Privacy Rules.
9. Next Steps
The Act will bring about substantial changes in the regulatory framework in which covered entities and business associates operate. For this reason, covered entities and business associates should start working now in order to ensure their organizations are fully compliant when the provisions become effective.
For covered entities, this means taking the following actions:
- implementing policies and procedures for tracking and reporting breaches of unsecured protected health information;
- implementing policies and procedures for tracking disclosures of protected health information from EHRs for treatment, payment and health care operations;
- implementing policies and procedures for accepting requests from individuals to restrict disclosures of protected health information to health plans for self-pay items and services;
- educating their workforce on the new minimum necessary standard and the restrictions against uses and disclosures of protected health information for marketing and fundraising purposes, unless certain requirements have been met; and
- entering into business associate agreements with any organization with whom the covered entities exchange health information, such as regional health information organizations.
For business associates, this means taking the following actions:
- revising its business associate agreements to incorporate its new obligations to comply with the main provisions of the Security and Privacy Rules;
- implementing policies and procedures that establish the required safeguards to preserve the integrity and confidentiality of electronic protected health information; and
- implementing policies and procedures to ensure its uses and disclosures of protected health information comply with the requirements under the Privacy Rule.
For More Information
For more information on the adoption of certified EHR technology, its meaningful use to qualify for the incentives provided under the Act, compliance with the new HIPAA requirements and the other provisions of the Act, contact Michael Skindrud (608-284-2619), Choua Vang (920-831-6351), or any other member of Godfrey & Kahn's Healthcare Team.