Archive

Posts Tagged ‘HHS’

Are We Ready for Electronic Health Records?

January 26, 2010 1 comment

With health care reform fast fading from the national agenda, we can’t forget that one part of that reform – adoption of  electronic health care records (or EHRs) – is still alive and kicking.  In fact, there’s a huge push by the federal government to articulate standards around privacy and data security – especially for medical health information.  To give this push some oomph, the feds are giving out $19 billion worth of incentives to entities who adopt EHRs, a move that is funded by provisions of the “HITECH Act“ under the stimulus bill. Healthcare organizations will receive increased Medicare/Medicaid reimbursements if they adopt EHRs by 2015 – which is why we’ve seen a big boost in medical IT spending, with companies like GE providing financing for medical IT projects.

With so many companies jumping on this bandwagon, EHRs should provide a much-needed jolt to the tech sector while also giving patients more control over their medical information and treatment (both laudable goals).  And yet, many uncertainties remain surrounding the push to digitize medical health information (a recent investigative piece on EHR adoption by Huff Post highlights some of these concerns). An additional uncertainty arises from the increasingly complex regulatory web that has started to encircle the medical health information sector.

Under federal law, HIPAA – administered by Health & Human Services – protects personal health information held by healthcare organizations (known as covered entities). The stimulus bill extended HIPAA’s reach even further – to include the business associates of covered entities.  Put differently, a medical IT provider, working with a health care organization on their EHR adoption, could be liable for HIPPA violations (and should be thinking about compliance accordingly).  And while the old version of HIPAA provided for an affirmative defense, the new version does not – increasing penalties significantly, from $25,000 to $1.5 million (for willful violations that have been corrected).

The stimulus edits to HIPAA also give State Attorneys General the right to bring actions for HIPAA violations.   Earlier this month, AG Richard Blumenthal of Connecticut brought the first HIPAA action by a state AG against HealthNet, a Connecticut based insurer that allegedly waited 6 months to report the breach of private medical and financial information of 446,000 of its members. And in addition to HIPAA, state law also may apply — since many states include “medical information” in the definition of “personal information” under their data breach notification statutes.

The Federal Trade Commission also has a stake in the issue – along with HHS and the state AGs.  In fact, Congress has asked the FTC and HHS to study the issues around medical health data privacy and issue a joint report on their findings. Congress will then decide which of the two agencies has the resources and expertise to enforce the ensuing regulations.

The regulatory uncertainly and patchwork will lead to increased compliance costs – especially for entities operating in multiple jurisdictions.  But the bigger concern here is whether business is even ready to comply-  a recent study by the Ponemon Institute and Crowe Horvath LLP found that only 6% of the 77 companies surveyed were prepared to comply with the HITECH Act provisions.