2009 Health Information Technology Act

THE 2009 Health Information Technology Act

The 2009 Health Information Technology Act True Financial Incentives or More Government Control? Sara Small Mt St Mary's College A Thesis Presented to the Faculty of the Graduate School of Business

December 13, 2009

The 2009 Health Information Technology Act

ii

ACKNOWLEDGMENT

Thank you to Dr Mark Alhanati, Dr Janet Robinson, Dr. Peter Antoniou and to Katherine Whitman for the honor of participating in the first MBA Cohort at Mount St Marys College. This creative and dynamic curriculum has provided a wealth of experience and knowledge within a unique and stimulating learning environment. The MBA program allowed me to return to the classroom after a 33 year hiatus and also afforded me the opportunity to experience my first international trip! The successful completion of this thesis would not have been possible without the help and support from my faculty advisor, Dr. David Burkitt. His advice, guidance and direction allowed me to remain focused and on track during the short time frame allowed for the completion of this thesis. His academic and professional career experience was invaluable. Thank you, David for helping me over the rough spots and guiding me through a complex process. Finally, my thanks to my husband, Ben who provided constant assistance and domestic support that enabled me to spend countless hours away from home working with other students, completing projects and studying. Bens encouragement to pursue my studies often pushed his loyal support to the limits! The completion of this degree would not have been possible without his unconditional love and commitment. Thank you, husband!

THE 2009 Health Information Technology Act

Abstract

SMALL, S.P., The 2009 Health Information Technology Act-True Financial Incentives- or More Government Control? Master of Business Administration, Mount St. Marys College, December 2009. The computerization of medical records has been recommended as a means to reduce medical errors as well as costs, paperwork, time and redundancy. In addition to creating and maintaining medical records electronically, linking those records through interoperable data exchange is seen as a primary requirement toward increasing the efficiency and safety of care delivery. Interoperability is viewed as a solution that will allow providers in any location instant access to a patient's health and treatment history. There are significant challenges facing Health Information Technology and electronic health records, including structural, technical, financial and social/cultural issues. Although none of these represent insurmountable barriers, they all require viable solutions. To promote adoption of these technologies, the federal government has passed legislation designed to move toward their goal of creating an electronic health record for each person in the United States by 2014. The purpose of this qualitative study of the 2009 Health Information Technology Act is to determine if Hospital Chief Executive Officers perceive the financial incentives as a welcome opportunity to modernize their information management systems, or is a basis for the Government to increase their control of healthcare. A grounded theory model was utilized to analyze the results from multiple data sources to finalize this theory.


iv

List of Tables

Table 1: The State of Health Information Technology in California

....

11 15 16 57 59 60 63 70 82 83 84 85 86 87 89 89 90 91

Table 2: Summary of Federal Government Health IT . Table 3: Cost of Healthcare Facility Regulations. Table 4: Medicare Hospital Incentives.. Table 5: Medicare Hospital Incentives.. Table 6: Medicare Penalties.... Table 7: Medicaid Incentives for Hospitals... Table 8: Top Issues Confronting Hospitals.. Table 9: Literature review open coding model.... Table 10: Excessive government regulations.. Table 11: The ARRA adds increased layers of bureaucratic regulation.. Table 12: Implementation of a certified electronic record ..... Table 13 Identification of required standards...... Table 14: Uniform standards defining clinical care protocols.. Table 15: The ARRA is in reality the outline for total government control Table 16: The stimulus money outlined in ARRA is a benefit Table 17: The government requirements and regulations Table 18: The increased regulatory agencies

THE 2009 Health Information Technology Act Table 19: E H R will make it easier for organizations. Table 20: Linking the patient healthcare records of our organization Table 21: Government penalties for failing to implement Table 22: Respondent Location ... Table 23: Number of years in this occupation.. Table 24: Respondents Gender...... Table 25: Respondent Age Range ..... Table 26: Healthcare Organizations Tax Status of Respondents.. Table 27: Has your organization implemented an electronic medical record?........ 92 93 94 95 95 96 96 97 97


vi

GLOSSARY OF TERMS AHIMA. American Health Information Management Association AHRQ. Agency for Healthcare Research and Quality ANSI. American National Standards Institute ANSI-ASC. American National Standards Institute, Accredited Standards Committee ARRA. American Recovery and Reinvestment Act of 2009 AS. Administration Simplification Act ASC. Accredited Standards Committee Business Associate. A person or organization that performs a function or activity on behalf of a covered entity but is not part of the covered entitys workforce CCHIT. Certification Commission for Healthcare Information Technology CDC. Centers for Disease Control and Prevention CDS. Clinical Decision Support CEO. Chief Executive Officer Certificate of Need. Laws which control building of new healthcare facilities and services. CFR. Combined Federal Register CHARITY CARE. Healthcare provided for free or at a reduced cost to low income patients. CHHS. California Health and Human Services Agency CIM. Clinical Information Management CIO. Chief Information Officer CIS. Clinical Information System Clearinghouse. Electronic entity that translates nonstandard formatted data into standard data elements or into a standard transaction format. CMS. Centers for Medicare & Medicaid Services Covered Entity. A health plan, clearinghouse, or a health care provider that transmits health information in an electronic form. CPOE. Computerized Physician Order Entry DISA. Data Interchange Standards Association Disclosure. Release of information by an entity to persons or organizations outside of that entity. EDI. Electronic Data Interchange

THE 2009 Health Information Technology Act E H R. Electronic Health Record- health related information for an individual that can be accessed by more than one health care organization. EHNAC. Electronic Healthcare Network Accreditation Commission EMC. Electronic Medical Claim EMR. Electronic Medical Record synonymous with Electronic Patient Record (EPR), and Computerized Patient Record (CPR). Patient health record of services within one health care organization EMTALA. Emergency Medical Treatment and Labor Act. This act requires hospitals to provide emergency treatment to individuals, regardless of insurance status or their ability to pay. FACA. Federal Advisory Committee Act FALSE CLAIMS ACT. Act which allows individuals to file a complaint against an entity that files false claims for medical care to the Government. FAST. Federal Adoption of Standards for Health IT. FDA. Food and Drug Administration FEA. Federal Enterprise Architecture FFP. Federal Financial Participation FHA. Federal Health Architecture FHIPR. Federal Health Information Planning and Reporting FHISE. Federal Health Information Sharing Environment FHITSOP. Federal Health IT Standards Organization Participation FSS. Federal Security Strategy FSWG. Federal Security Work Group FTF. Federal Transition Framework Functionality. Systems that can support the activities and perform the functions for which they were intended. GAO. Government Accounting Office HCFA. Health Care Finance Agency, responsible for oversight of the U.S. Medicare Program HI. Health Information HIE. Health Information Exchange HEDIS. Health Plan Employer Data and Information Set (Measures managed care program performance indicators) HIMSS. Health Information Management Systems Society HIO. Health Information Organization HIPAA. Healthcare Insurance Portability and Accountability Act of 1996 (Public Law 104-191)

The 2009 Health Information Technology Act HISB. Health Informatics Standards Board HISE. Health Information Sharing Environment HISPC. Health Information Security and Privacy HIT. Health Information Technology HITECH Act. Health Information Technology for Economic and Clinical Health Act HITPC. Health Information Technology Policy Council. HITSP. Health Information Technology Standards Panel

viii

HL7. Health Level Seven - Founded in 1987, HL7 is a not-for-profit Standards Developing Organization (SDO) that specializes in developing standards for the exchange of clinical data among disparate health care computer applications the American National Standards Institute accredits HL7. HOSPITAL CONVERSION REGULATIONS. Laws regulating the conversion of for profit hospitals to non profit status. ICD- International Classification of Diseases Interoperability. Ensuring that systems implement the recognized standards and can exchange information and work with other systems., IRB. Institutional Review Board IT. Information Technology ITA. Information Technology Architecture ISO. International Organization for Standardization ISO/TC215. International Organization for Standards, Technical Committee 215 - Health Informatics JCAHO. Joint Commission for the Accreditation of Health Care Organizations Limited English Proficiency. Laws which require hospitals to provide interpreter services to patients that do not speak English. Meaningful Use. Meaningful users of an electronic health record to be defined by the Federal Government as a requirement for receiving stimulus dollars. MUMPS. Massachusetts General Hospital Utility Multi-Programming System. A healthcare programming language created in the late 60s. NAHDO. National Association of Health Data Organizations NCQA. National Committee for Quality Assurance NCVHS. National Committee on Vital and Health Statistics NHIE. Nationwide Health Information Exchange NHIN. Nationwide Health Information Network NIH. National Institutes of Health

THE 2009 Health Information Technology Act NLM. National Library of Medicine OCR. Office of Civil Rights OIG. Office of Inspector General. OIS. Office of Interoperability and Standards OMB. Office of Management and Budget ONC. Office of the National Coordinator (preferred abbreviation for ONCHIT). ONCHIT. Office of the National Coordinator for Health Information Technology PHC. Personalized Health Care PHI. Personal Health Information PHR. Personal Health Record PHSA. Public Health Services Act PITAC. Presidents Information Technology Advisory Committee RHIO. Regional Health Information Organization. SAMSA. Substance Abuse and Mental Health Services Administration SDO. Standards Development Organization Security. System protection of personal health information SLHIE. State Level Health Information Exchange Consensus Project SMHP State Medicaid HIT Plan SNOMED. Systemized Nomenclature of Medicine VHA. Veterans Health Administration


x

The 2009 Health Information Technology ActTABLE OF CONTENTS

1

Page

DEED OF DECLARATION APPROVAL SHEET ACKNOWLEDGMENT . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ABSTRACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . .

ii iii iv v vi viii 4 4 7 8 10 10 12 14 15 20 26 27 28

GLOSSARY OF TERMS.. Chapter 1: INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . Background of the Study .......................... .

History of Electronic Health Record Statement of the Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2: LITERATURE REVIEW. Current State American Recovery and Reinvestment Act Purpose of Recovery Act HIT Incentives Federal Regulatory Issues and Requirements Health Information Privacy Civil Rights.. Food and Drugs Fraud & Prevention Detection.

The 2009 Health Information Technology Act Information Management. Medical and Healthcare Other Federal Laws.. Regulatory Agencies and Responsibilities California Legislation and Action Plans. Medicare Centers for Medicare and Medicaid Services (CMS) State Medicaid.. Costs. Savings.. Benefits. Barriers.. Privacy Concerns.. Chapter 3: RESEARCH METHODOLOGY 29 31 32 36 47 56 60 64 65 66 69 72 74 74 76 76 78 79 80 82 82 83

2

Grounded Theory Model Data Sources.. Study population for survey Literature Review... Data Collection. Data Analysis.... Chapter 4: ANALYSIS..

Literature Coding Results. Survey Results .


3

Chapter 5

CONCLUSION

98 103

References.. Appendix Appendix A Appendix B Appendix C Privacy Sections in Order of Appearance in ARRA.. Literature Review: Open Coding Model. Title 42 Federal Public Health Regulations

123 124 127 130 132 133 135 138

Appendix D Public Health Services Act.. Appendix D Meaningful Use Documents. Appendix E Appendix F Certified Inpatient E H R Products.. Hospital CEO Survey...

Appendix G MSMC IRB Exemption Letter.

The 2009 Health Information Technology Act Chapter 1

4

INTRODUCTION

Background to the Study Health Information Technology-Electronic Health Records (HIT-EHR) is a broad term that refers to the generation, storage, and transmission of electronic health information. Information management is central to the healthcare system, and HIT-EHR is widely viewed as the necessary step to bring healthcare into the 21st century. It is argued that HIT-EHR will reduce overall healthcare costs, improve quality, and increase efficiency throughout the healthcare system. However many are still skeptical as to its real impact given the substantial investment required to implement it. To put this in context, U.S. healthcare spending was $2.1 trillion in 2006, and at least $250 billion in California. U.S. spending is projected to grow to $4 trillion by 2015, with direct administrative costs accounting for more than 7 percent of the total U.S. health spending. However, when the administrative costs of hospitals and doctors are added to those of insurers and Government, the administrative costs are estimated to be 31 percent of total health care spending. These administrative costs are estimated to be 30 to 70 percent higher than in other countries that also have mixed public-private systems (Department of Health, 2009). The leading nations in adopting HIT-EHR, such as Britain and New Zealand, have achieved 98 percent participation by primary care physicians. In the United States about 28 percent of primary care physicians use HIT-EHRs and less than 20% of hospitals (The

The 2009 Health Information Technology Act Commonwealth Fund, 2009). Other sectors of the U.S. economy (for example, banking) have successfully digitalized their operations, but healthcare has been slow to make the transition. While the development and wide-scale use of HIT-EHR has experienced obstacles, it is gaining ground in both the public and private sectors (Girosi, 2004). For decades, hospitals and other medical service providers have been enticed by the prospect of establishing electronic health record systems to improve the efficiency of their

5

medical care and reduce medical errors. Automating the health record process has the potential to provide a host of benefits, most notably by reducing medical errors. For example, as many as 98,000 Americans die each year as a result of preventable medical records (Taylor, 2005). Electronic medical record systems could significantly reduce this number. A much cited 2005 Rand Corp (Rand 2005) study of the use of medical record automation found that a savings of $77 billion annually could be realized. However, it is widely believed that the cost of implementing electronic health records systems is responsible for low adoption rates (Rand, 2005). The United States health care system is at risk due to increasing demand, spiraling costs, inconsistent and poor quality of care, and inefficient, poorly coordinated care systems. Some evidence suggests that health information technology can improve the efficiency, cost effectiveness, quality, and safety of medical care delivery by making best practice guidelines and evidence based databases immediately available to clinicians, and by making computerized patient records available throughout a health care network (The Markle Foundation, 2009). However, much of the evidence is based on a small number of systems developed at academic medical centers, or studies using mixed models to project organizational changes, costs, and the

The 2009 Health Information Technology Act time required for implementation (Hillestad, 2005).. Definitive information regarding the true value of systems is not widely identified within the literature. (Price Waterhouse, 2009). Most medical records are still stored on paper which means that they cannot be used to

6

coordinate care, routinely measure quality or reduce medical errors. It is important to understand the barriers to implementation of these technologies. Most often, capital cost is cited as an impediment to adoption of medical information technology; however, the story grows more complicated in the framework of the complex American health care system where government sources pay for the majority of health care services (Acker, 2004). One Commentator has noted: most HIT-enabled savings go to insurers and patients, while most adoption and care improvement costs are borne by providers (Ferman, 2006). Thus, it would seem that the incentives to adopt health information technology are misaligned. Successful implementation of an electronic medical record requires overcoming more than the financial burden. Additional barries include a lack of standards, ill defined certification requirements, privacy concerns, and lack of clarity regarding the anticipated government regulations (Garrido, 2004). To address the financial burden, the federal government has recently offered a solution in the form of public funding, grants and payment incentives. The law creates two key concepts to determine whether providers qualify for the HIT incentives: they must demonstrate meaningful use of HIT and use a qualified or certified E H R (AHHR, 2009). The formal definition of meaningful use has yet to be defined. The overarching Nationwide goals of HIT investments are to improve healthcare quality, reduce growth in costs, stimulate innovation, and protect privacy (Health Information, 2009). However, there remains concern regarding the lack of standards, incomplete defining of meaningful use and the qualifications of


7

certified records. This ambiguity puts resources at risk and has the potential to leave healthcare organizations in a vulnerable position as they attempt to navigate through the regulatory minefield. Regulations impose a considerable burden on the U.S. healthcare system. Some of these include EMTALA (Emergency Medical Treatment and Labor Act), HIPAA (Health Insurance Portability and Accountability Act), Charity Care, hospital conversion regulations, limited English proficiency requirements, fraud and abuse reporting requirements, False Claims Act, Medicare and Medicaid antifraud statutes, Stark I and II laws, medical record regulations, Certificate of Need regulations, Medicare Conditions of Participation, pharmaceutical price regulations and quality related regulations to name a few. Hospitals bear considerable expense to insure compliance with these types of regulations, which adds a significant financial burden to an already ailing system (Conover, 2004). History of Electronic Health Records (EHRs) The first known medical record was developed by Hippocrates, in the fifth century B.C. He prescribed two goals: A medical record should accurately reflect the course of disease. A medical record should indicate the probable cause of disease (NIH, 2005).

These goals are still appropriate. Electronic health record systems can also provide additional functionality, such as interactive alerts to clinicians, interactive flow sheets, and tailored order sets, all of which cannot be done with paper-based systems (Amatayakul, 2005). The first EHRs began to appear in the 1960s. By 1965, Summerfield and Empey reported that at least 73 hospitals and clinical information projects and 28 projects for storage and retrieval of

The 2009 Health Information Technology Act medical documents and other clinically-relevant information were underway(Asp, 2003). Many of todays EHRs are based on the pioneering work done in academic medical centers and for major government clinical care organizations. These early projects had significant technical and programmatic issues, including non-standard vocabularies and systeminterfaces, which remain implementation challenges today. But they led the way, and many of the

8

ideas they pioneered (and some of the technology, such as the MUMPS language) are still used today (NIH, 2005).

Problem Statement This study will strive to answer the following questions: 1. Will the advantage of accessing the stimulus money be perceived as a true benefit, or will the increased regulations for health care providers be another

barrier that prevents adoption? 2. Is the goal of the stimulus plan intended to simply motivate health care organizations and providers to transition to an electronic record or is it the beginning of government run healthcare services?

To further develop the understanding of the question, the American Recovery and Reconciliation Act of 2009, introduces much needed financial incentives for implementing an electronic medical record, but it also adds significant regulatory requirements, as well as extends the oversight of the government into new areas of the healthcare delivery system. Over the past decade, HIT has been a voluntary initiative for healthcare providers. The ARRA is a federal law that identifies increased funding and regulations with stricter privacy laws and more onerous fines. The Office of the National Coordinator (ONC) is granted broad new powers and an

The 2009 Health Information Technology Act additional $2 billion in funding (American Medical Association, 2009). Electronic medical records are intended to allow healthcare providers to improve the quality of care, decrease costs and improve patient safety within a framework that allows all providers to jointly share and manage the health care information of its citizens (Brailer, 2009).

9

The very low levels of adoption of electronic health records in U.S. hospitals suggest that policymakers face substantial obstacles to the achievement of healthcare performance goals that depend on health information technology. The federal stimulus bill promises billions of dollars in incentive payments to doctors and hospitals that buy and use the systems, with penalties starting in 2015 for those who don't make the switch (Beatty, 2009). In the hospital setting, the Chief Executive Officer is traditionally the decision maker. What impact has the ARRA had on their decision to implement (or not) an electronic medical record system? Is the role of the government within the healthcare setting appropriate? What is the perception of these executives regarding the impact of the financial stimulus for adoption and use of Health Information Technology by the federal government? These are the questions this study will review and answer.

The 2009 Health Information Technology Act CHAPTER 2

10

REVIEW OF RELATED LITERATURE

Current State U.S. health care providers make minimal use of HIT compared to other health systems in the industrialized world. Per a white paper published by The Commonwealth Fund in 2009: 17% of U.S. Physicians and 8-10% of U.S. Hospitals have at least a basic electronic health record. In most European countries, as well as New Zealand and Australia 80-100% of primary care physicians have electronic healthcare records (EHRs) (The Commonwealth Fund, 2009). Healthcare is among the least automated industries in the nation. Studies have estimated that the healthcare industry as a whole is almost 20 years behind the rest of the nations industries with respect to digitalization. Limitations in software, hardware and networking technologies has made electronic healthcare records difficult to affordably implement (Blumethal, 2009). According to the Centers for Disease Control (CDC, 2007 ), 29.2% of physicians said they use full or partial clinical EHRs, however only 4% said they used a fully functional record system ( Hing, 2007). The majority of the research indicates that very few hospitals have a comprehensive electronic system for recording clinical information and only a small minority have even a basic system. However, many institutions have parts of an electronic-records system in place, suggesting that policy interventions could increase the prevalence of electronic health records in U.S. hospitals faster than our low adoption levels might suggest (HIMSS, 2009).

The 2009 Health Information Technology Act From a national interoperability perspective, much of the infrastructure is not in place. Key components have not yet been defined. This includes: The rules that specify how to send information back and forth,

11

Legal business rules in place to guide organizations in order for them to exchange data,

Identified standards for health care organizations to use as a model for implementing an electronic medical record system,

Clinical standards for electronic systems, The ability to allow patient medical records to be shared or moved about in the system.

Software flexibility and customization capabilities due to out-dated programming technology(American Hospital Association, 2007).

Table 1 The State of Health Information Technology in California

Fully Implemented Partially Implemented Not Implemented

13% 42% 45%

Source: California HealthCare Foundation. January 2007

Health IT is moving from a voluntary initiative over the past decade to a highly regulated


12

one with new rule-making government committees, stricter privacy laws and more onerous fines. With billions in new funding and government regulations, the health IT market should quickly expand far beyond the provider segment, providing new opportunities for health plans, pharmaceutical companies and other vendors (Argawal, 2002). Less than 2% of acute care hospitals have a comprehensive electronic-records system, and, (depending on the definition used), between 8 and 12% of hospitals have a basic electronicrecords system. The official definition requires the system to include the presence of functionalities for physicians' notes and nursing assessments. Information systems in more than 90% of U.S. hospitals do not even meet the requirement for this type of basic electronic-records system (HIMSS, 2007). The majority of U.S. hospitals are in the early stages of EMR transformation (AHA, 2007). Although levels of adoption of electronic health records are low, various components that underlie electronic record systems have been widely implemented. A sizable proportion of hospitals reported that laboratory and transcribed reports, radiological images (PACS), medication lists, and some decision-support functions are available in electronic format (American Hospital, 2007). Others reported that they plan to upgrade their information systems to an electronic-records system by adding functionalities, such as computerized provider-order entry (CPOE), physicians notes and nursing assessments (Jha, 2009). The American Recovery and Reinvestment Act of 2009 On February 17, 2009, President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009, H.R. 1 (ARRA, 2009). More commonly referred to as ARRA or the Recovery Act, this provides substantial financial incentives to assist providers with the

The 2009 Health Information Technology Act purchase and implementation of HIT systems. In addition to assisting with financing, a key element to the widespread adoption and use of HIT is the development of uniform electronic standards that allow various systems to communicate with each other (American Medical Association, 2009). ARRA requires the Department of Health and Human Services (HHS) to develop standards by December 31, 2009 (AHRQ ,2009) . The Recovery Act includes financial incentives and penalties to be paid through the Medicare program with very specific time frames for implementation. In addition, ARRA, includes over $20 billion to aid in the development of a robust IT infrastructure for healthcare

13

and to assist providers and other entities in adopting and using health IT. Total funding for health IT is as follows: $2 billion for the Office of the National Coordinator , $20.819 billion in incentives through the Medicare and Medicaid reimbursement systems to assist providers to adopting EHRs, $4.7 billion for the National Telecommunications and Information Administrations Broadband Technology Opportunities Program, $2.5 billion for the U.S. Department of Agricultures Distance Learning, Telemedicine, and Broadband Program, $1.5 billion for construction, renovation, and equipment for health centers through the Health Resources and Services Administration, $1.1 billion for comparative effectiveness research within the Agency for Healthcare Research and Quality (AHRQ), National Institutes of Health (NIH), and the Department of Health and Human Services (HHS),


14

$85 million for health IT, including tele-health services, within the Indian Health Service,

$500 million for the Social Security Administration, $50 million for information technology within the Veterans Benefits Administration ,

In addition, it establishes HIT Policy and Standards Committees that are comprised of public and private stakeholders to provide recommendations on the HIT policy framework, standards, implementation specifications, and certification criteria for electronic exchange and use of health information (Department of Health, 2009).

Purpose of Recovery Act HIT Incentives The primary purpose of this Act is to stimulate the economy through investments in infrastructure, unemployment benefits, transportation, education, and healthcare (ARRA, 2009). With respect to healthcare, one of the goals is to reduce long-term costs by modernizing healthcare through the use of information technology. The majority of the funds are incentive payments that will go to Medicaid and Medicare providers that are able to demonstrate "meaningful use" of health information technology. The requirements that define meaningful use have not yet been published. Providers that serve patients from both programs will be required to choose one source of reimbursement only (AHRQ, 2009). Medicare: Eligible hospitals will receive a base funding of $2M with additional funds provided according to a statutorily prescribed formula related to discharge data. The program

The 2009 Health Information Technology Act also creates a penalty system which begins in 2015 (CMS, 2009). Medicaid: The purpose of the 100 percent provider incentive payments to certain eligible Medicaid providers is to encourage the adoption and meaningful use of certified EHR technology (CMS, 2009).

15

While the incentive payments are expected to be used for certified EHR technology and support services, including maintenance and training necessary for the adoption and operation of such technology, the incentive payments are not direct reimbursement for such activities. They are intended to serve as an incentive for eligible providers to adopt the use of certified EHR technology (Binder, 2009).T ab le 2 S u m m a ry of F ed era l G overn m en t H ea lth IT S tra teg ic G oa ls a n d O b jectives: 2 0 0 8 -2 0 1 2Goal 1. Patient-focused Health Care Objective 1.1: Objective 1.2: Objective 1.3: Objective 1.4:

F a c ilita te e le c tr o n ic e x c h a n g e , E n a b le th e m o v e m e n t o f e le c tr o P ico m o te n a tio n w id e d e p lo y m e n t b lish m e c h a n ism s fo r m u ltinr E sta a c c e ss, a n d u se o f e le c tr o n ic h e a lth lth in fo r m a tio n to su p p o r t o f e le c tr o n ic h e a lth r e c o r d s sta k e h o ld e r p r io r ity - se ttin g a n d he a in fo r m a tio n , w h ile p r o te c tin g th ep a tie n ts h e a lth a n d c a r e n e e d s.( E H R s) a n d p e r so n a l h e a lth d e c isio n - m a k in g . p r iv a c y a n d se c u r ity o f p a tie n ts r e c o r d s ( P H R s) a n d o th e r h e a lth in fo r m a tio n . c o n su m e r h e a lth I T to o ls. Goal 2. Population Health Objective 2.1: Objective 2.2: Objective 2.3: Objective 2.4:

A d v a n c e p r iv a c y a n d se c u r ity E n a b le e x c h a n g e o f h e a lth P r o m o te n a tio n w id e a d o p tio n E sta b lish c o o r d in a te d o r g a n iza tio n a l of p o lic ie s, p r in c ip le s, p r o c e d u r e s, in n dr m a tio n to su p p o r t p o p u la tio n - c h n o lo g ie s to im p r o v e a fo te p r o c e sse s su p p o r tin g in fo r m a tio n u se p r o te c tio n s fo r in fo r m a tio n a c c e ssr ie n te d u se s. o in p o p u la tio n a n d in d iv id u a l h e a lthr. p o p u la tio n h e a lth . fo p o p u la tio n h e a lth .

Source: Federal Health IT Strategic Plan 2008-2012

Federal Regulatory Issues and Requirements There is much debate as to the role that the federal government should play in the promotion of HIT-EHR. Some argue that HIT-EHR development should be left completely to the private sector. Middleton believes that the market has failed given the current state of HIT-EHR adoption, and that government guidance and standardization is necessary to jumpstart

The 2009 Health Information Technology Act widespread implementation ( Walker et al., 2005). Both Bower and Taylor, et al., suggest that major government intervention is the only hope of success, in the form of subsidies, mandates, and substantial policy directives. (Taylor, 2005) According to a study by the Cato Institute (Conover, 2004), the burden of regulation in the health care industry is staggering. The study provides a detailed analysis of the cost of regulation in the health care sector, prior to the current slew of new agencies and regulations

16

recommended for implementation of the electronic medical record. This study (Conover, 2004) identifies the cost of regulation of health facilities, health professionals, health insurance, drugs and medical devices, and the medical tort system, including the costs of defensive medicine. The calculations include a deduction of identifiable tangible benefits of regulation. With that said, the estimate is considerable, amounting to $169.1 billion annually. The study suggests that the cost of health service regulation outweighs benefits by a two to one cost. (Conover, 2004). Table 3 Cost of Health Facilities Regulation (millions of 2002 dollars)Type of Regulation Access EMTALA Hospital uncopensated care pools Hospital community serv requirements ice Limited English proficiency requirements Costs Health care fraud and abuse Facility medical records (incl priv acy) Organ transplant regulation Certificate of need Hospital rate setting Pharmaceutical price regulation Other cost-related facilities regulations Quality Hospital accreditation/ licensure Nursing home accreditation/licensure Other facilities accreditation/licensure Peer Rev iew Clinical Laboratory Improv ement Act (CLIA) Other quality-related facilities regulations GRAND TOTAL Source: Cato Institute (Conover, 2004) Expected $11,755 $4,436 $6,678 $317 $324 $14,130 $3,209 $1,068 $1,815 $110 $69 $7,626 $233 $21,798 $8,640 $3,581 $2,078 $2,063 $3,236 $2,200 $47,683 Costs Minimum $2,184 $1,261 $698 $123 $102 $11,948 $2,224 $696 $1,653 $26 $57 $7,163 $129 $9,595 $833 $1,963 $465 $1,314 $3,065 $1,955 $23,727 Maximum $29,544 $10,965 $16,591 $961 $1,027 $273,339 $9,945 $92,178 $1,785 $157,859 $3,023 $8,149 $400 $57,592 $31,885 $6,821 $7,447 $5,481 $3,466 $2,492 $360,475 Expected $3,805 $2,146 $1,524 $135 $0 $14,837 $2,154 $1,222 $1,804 $0 $51 $9,606 $0 $3,973 $0 $3,973 $0 $0 $0 $0 $22,615 Benefits Minimum $700 $421 $233 $46 $0 $20,748 $1,808 $996 $280 $5,067 $4,421 $8,176 $0 $3,973 $0 $3,973 $0 $0 $0 $0 $25,421 Maximum $8,928 $4,930 $3,601 $397 $0 $27,094 $2,912 $1,450 $4,644 $0 $0 $18,088 $0 $3,973 $0 $3,973 $0 $0 $0 $0 $39,995 Net Cost $7,950 $2,290 $5,154 $182 $324 -$707 $1,055 -$154 $11 $110 $18 -$1,980 $233 $17,825 $8,640 -$392 $2,078 $2,063 $3,236 $2,200 $25,068 Percent 31.7% 9.1% 20.6% 70.0% 0.0% 1.3% -2.8% 4.2% -0.6% 0.0% 4.0% 0.4% 0.1% -7.9% 0.9% 71.1% 34.5% -1.6% 8.3% 8.2% 12.9% 8.8% 100%


17

Subsequently, the ARRA has been signed. The Recovery Act includes significant funding for the implementation and management of the incentive program as well as the ongoing support for providers meeting the qualifications of a certified electronic medical record system, and additional funding for the required regulatory reporting agencies. The new law requires the Department of Health and Human Services, and the Office of the National Coordinator for Health Information Technology (ONC), to adopt a rule-making process of initial standards, implementation specifications and certification criteria by December 31, 2009 (AMA, 2009). The new regulatory requirements are a complex array of additional governmental layers. When reading the following, consider the depth and comprehension level required to administer a successful electronic system while complying with the regulations that are integrated into the newly defined HITECH landscape. A clear understanding of all applicable laws and regulations is a basic requirement for holding a position of leadership in a Hospital, particularly at the Chief Executive Officer level. Health Information Technology for Economic and Clinical Health Act (HITECH) On February 17, 2009 the American Recovery and Reinvestment Act of 2009 commonly referred to as the Stimulus Bill, was signed into law by the federal government. Included in this law is $19.2 Billion which is intended to be used to increase the use of Electronic Health Records (EHR) by physicians and hospitals; this portion of the bill is called, the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. The government firmly believes in the benefits of using electronic health records and is ready to invest federal resources to proliferate its use. (Ways and Means, 2009).

The 2009 Health Information Technology Act Meaningful Use Two important elements have yet to be defined. This includes the official definition of meaningful use, and the specifications required for becoming a certified electronic health record (Health IT, 2009). The meaningful use workgroup of the HIT Policy Committee has released its initial recommendations for a definition of "meaningful use" of electronic health records. The definition is important because under the economic stimulus law, providers must

18

"meaningfully use" EHRs to receive financial incentives from Medicare and Medicaid (Health IT Committee, 2009). These initial recommendations do not include a formal definition of meaningful use. They include the initial recommendation of the functionalities that will be required by 2011 when incentive payments begin. "This is the beginning of a conversation that will continue for some time," said David Blumenthal, M.D., the National Coordinator for Health Information Technology, during a meeting of the HIT Policy Committee, a public-private advisory group. Blumenthal added that "there is a long way to go" before a final definition of meaningful use is achieved (Goedert,2009). The workgroup's initial recommendations include 22 objectives--most covering inpatient and outpatient care for EHRs in 2011. These include, among others: Use CPOE for all order types including medications, Implement drug-drug, drug-allergy and drug-formulary checks, Maintain an up-to-date problem list, Generate and transit permissible prescriptions electronically, Maintain an active medication allergy list,


19

Send reminders to patients per their preference for preventive and follow-up-care, Document a progress note for each encounter, Provide patients with an electronic copy or electronic access to clinical information such as lab results, problem list, medication lists and allergies,

Provide clinical summaries for patients for each encounter, Exchange key clinical information among providers of care, Perform medication reconciliation at relevant encounters, Submit electronic data to immunization registries where required and accepted, Provide electronic submissions of reportable lab results to public health agencies, Provide electronic surveillance data to public health agencies according to applicable law and practice, and,

Comply with federal and state privacy/security laws and the fair data sharing practices in HHS Nationwide Privacy and Security Framework, released in December 2008 (Health Information Technology, 2009). Certified Electronic Health Record

The rules and regulations for meeting the requirements of a certified electronic health record are still under discussion, with preliminary models identified for 2011 (Health IT, 2009). The Certification Commission launched its updated and new 2011 Certification Programs on October 7, 2009. In addition to its established, CCHIT Certified Comprehensive Certification Programs, the Commission also launched a more limited ARRA certification program(health Information, 2009). The CCHIT Certified 2011 program inspects products against comprehensive

The 2009 Health Information Technology Act functionality, interoperability, and privacy and security criteria using the Commissions published methods. Products must be fully compliant. They must also meet or exceed applicable proposed Federal standards for certified EHR technology to support the 2011-2012 incentives under the American Recovery and Reinvestment Act of 2009 (Health IT, 2009)

20

The ARRA certification component of both programs is considered preliminary because the definitions of meaningful use, criteria, and standards have been proposed but not yet finalized by the US Department of Health and Human services(Certification Commission, 2009). Health Information Privacy ARRA layers on new privacy protections and prosecution powers to discourage unauthorized access to patient information. Under ARRA, even a brief unauthorized look at a medical record can result in large monetary fines for individuals and facilities. Through a wide range of provisions, Congress used ARRA as an attempt to increase patient trust that the healthcare industry will protect their personal information (Healy, 2009). Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. The Act is defined as follows: The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human

The 2009 Health Information Technology Act Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 The Privacy Rule standards address the use and disclosure of individuals health informationcalled protected health information by organizations subject to the Privacy Rule called

21

covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties (Department of Health and Human Services, 2009). The ARRA has tightened existing Privacy Rules to meet the demands of the electronic Medical Record. The privacy and security of electronic health information must be ensured as this information is maintained and transmitted electronically. (OCR, 2009). The Uniform Healthcare Information Act The National Conference of Commissioners on Uniform State Laws has promulgated a standard state privacy statute known as the Uniform Healthcare Information Act. The Act is supported by the American Medical Association. The main thrust of the Uniform Act is: Medical records may be released only with the patients consent, A subpoena may be required to release medical information in a legal context, Patients have access to their own records. The Act sets forth stern penalties for noncompliance. Of great interest to third party payers is the provision of many of the state statutes which deals with fraud and health care

The 2009 Health Information Technology Act records. The statutes of some states prevent a provider from testifying for or against a patient without the patients consent. These are called privileged communication statutes (National Conference, 1985). Data Breach The data breach notification regulations are the first of the ARRA privacy provisions to take effect. The Department of Health and Human Services(HHS), will oversee organizations that qualify as covered entities and business associates under HIPAA. The Federal Trade

22

Commission (FTC) will oversee everyone else, including vendors of personal health records. The law requires both HHS and the FTC to create and publish final interim regulations by August 16, 2009. The provisions become effective 30 days after publication (ARRA, 2009). Administrative Simplification: Title II, Subtitle F. (HIPAA) This section grants authority to mandate the use of standards for the electronic exchange of healthcare data, to specify what medical and administrative code sets should be used within the standards (Health Insurance, 1996). Accounting for Disclosures ARRA requires healthcare facilities using EHR systems to provide patients with a fuller accounting of disclosures, including disclosures for treatment purposes and other routine healthcare operations. This is a significant change from the current HIPAA laws, which exempt treatment, payment and business operations disclosure (Appendix A). Restrictions of Certain Disclosures ARRA gives patients the right to prevent the disclosure of health data to their health insurance plans if they paid for treatments out of their own pockets. EHR systems will have to

The 2009 Health Information Technology Act adapt to accommodate such requests (Appendix A). Electronic Copies ARRA requires any provider using an EHR system to produce an electronic copy of a patients health record upon request. Under HIPAA, providers are required to give a copy of a patients record in the format requested, but only if documents are readily producible in that format. Many EHR systems in use are not up to that challenge (Appendix A). Liability for Business Associates ARRA has several provisions that extend HIPAA privacy, security, and administrative

23

requirements to business associates. Business Associates (BA) are individuals or an organization that performs a function or activity on behalf of a covered entity, but is not a part of the covered entitys workforce. Covered entities must update their business associate agreements to incorporate these new provisions. Among the changes, ARRA requires business associates to respond to any privacy noncompliance on the part of the covered entities. Security breach, restrictions and disclosures, sales of health information, consumer access, business associate obligations and agreements (OCR, 2009). Improved Enforcement The Recovery Act carries a number of items Congress lumped together as improved enforcement. Many of these also relate to Section 1177(a) of the Social Security Act (42 U.S.C. 1320) which established the penalties as we currently know them (ARRA, 2009). Noncompliance Due to Willful Neglect Increased penalties due to willful neglect is a violation for which the Secretary is required to impose a penalty. For the penalty to be levied, the Secretary must formally investigate any

The 2009 Health Information Technology Act complaint of a violation of a provision of HIPAA privacy. When the investigation indicates a violation due to willful neglect a penalty will be imposed. This change will apply to penalties that occur more than 2 years after the enactment date. The Secretary is to publish final regulations related to this requirement not later than 18 months after the ARRA enactment (ARRA, 2009). Distribution of Certain Civil Monetary Penalties Collected

24

This provision calls for any civil monetary penalty (or monetary settlement collected with respect to an offense punishable under ARRA privacy provisions or the Social Security Act (HIPAA) to be transferred to the HHS Office of Civil Rights for the purpose of enforcing the provisions of these ARRA provisions. The Government Accounting Office (GAO) is to submit a report to the Secretary within 18 months of enactment, with recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense to the ARRA provisions or HIPAA may receive a percentage of any civil monetary penalties or monetary settlement collected. Then, within three years of enactment, the Secretary shall establish regulations based on the GAO recommendations. The methodology will apply with respect to civil monetary penalties or monetary settlements imposed on or after the effective date of the regulation (ARRA, 2009). Tiered Increase in Amount of Civil Monetary Penalties The ARRA modifies the Social Security Act Penalties. In this case a tiered set of penalties is established as follows: Where there is a violation that it is established when the person did not know (and by exercising reasonable diligence would not have known) that such


25

person violated a provision, a penalty for each violation will be at least $100 for each violation, not to exceed $25,000 (ARRA, 2009, p.158). Where there is a violation and the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation will be at least $1,000 for each violation, not to exceed $100,000 for each violation (ARRA, 2009). Where there is a violation and violation was due to willful neglect: If the violation is corrected, a penalty of $10,000 will be required for each violation, not to exceed $250,000. If the violation is not corrected as described, a penalty in the amount of $50,000 will be required not to exceed $1,500.000 (ARRA, 2009). The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information: The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information establishes a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization (ONC, 2009). CMS Security Standards: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services to establish National Standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical


26

security procedures for covered entities to use to assure the confidentiality of electronic protected health information. (CMS, 2009). Civil Rights Title VI of the Civil Rights Act of 1964 While ARRA has not modified awardees civil rights obligations, which are referenced in the HHS Grants Policy Statement, these obligations remain a requirement of Federal law. Recipients and sub-recipients of ARRA funds or other federal financial assistance must comply with Title VI of the Civil Rights Act of 1964 (prohibiting race, color, and national origin discrimination) (Title VI, 1964). Section 504 of the Rehabilitation Act of 1973 Requires hospitals to validate that they protect patients from disability discrimination (Rehabilitation, 1973). Title IX of the Education Amendments of 1972 Requires hospitals to insure that they prohibit sex discrimination in education and training programs, discrimination on the basis of sex in Federally supported education programs is also prohibited (Title IX, 1972). The Age Discrimination Act of 1975 Prohibits hospitals from age discrimination in the provision of services (Age, 1975). Public Health Service Act Titles VI and XVI of the Public Health Service Act require health facilities that received certain Federal funds (Hill-Burton funds) to provide certain services to members of its designated community (Appendix D)

The 2009 Health Information Technology Act Section 542 of the Public Health Service Act, as amended, bars discrimination in admission or treatment against substance abusers suffering from medical conditions by Federally-assisted hospitals and outpatient facilities (Appendix D). Food and Drugs The Food and Drugs Act of 1906 The first of more than 200 laws that constitute one of the world's most comprehensive and effective networks of public health and consumer protections (Pure, 1906). The Federal Food, Drug, and Cosmetic Act of 1938 Among other provisions, the law authorized the FDA to demand evidence of safety for new drugs, issue standards for food, and conduct factory inspections (FDA, 2009). The Kefauver-Harris Amendments of 1962 Inspired by the Thalidomide tragedy in Europe, this amendment strengthened the rules for drug safety and required manufacturers to prove their drugs' effectiveness (FDA, 2009). The Medical Device Amendments of 1976 The law applied safety and effectiveness safeguards to new devices (FDA, 2009). Food and Drug Administration Amendments Act of 2007. This law represents a very significant addition to FDA authority. Among the many components of the law, the Prescription Drug User Fee Act (PDUFA) and the Medical Device User Fee and Modernization Act (MDUFMA) have been reauthorized and expanded. These

27

programs will ensure that FDA staff has the additional resources needed to conduct the complex and comprehensive reviews necessary to approve new drugs and devices (FDA, 2007). Electronic Records: Electronic Signatures

The 2009 Health Information Technology Act The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed in electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper (Electronic, 2003). Fraud Prevention & Detection Safe Harbor Regulation

28

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA), identifies the final rules for Safe Harbor under the anti-kick back statute to protect certain arrangements involving goods, items, services, donations, and loans provided by individuals and entities to certain health centers that are funded under section 330 of the Public Health Service Act. The goods, items, services, donations, or loans must contribute to the health centers ability to maintain or increase the availability, or enhance the quality, of services available to a medically underserved population (OIG, 2006) Provider Self-Disclosure Protocol The Self-Disclosure Protocol is intended to be a vehicle under which the provider community can voluntarily disclose self-discovered evidence of potential fraud in an attempt to avoid the costs and disruptions that may be associated with a Government-directed investigation and with civil or administrative litigation. The Office of the Inspector General (OIG) verifies the information contained in the provider's submission and evaluates the matter for potential fraud issues.. While the OIG does not speak for the Department of Justice or other agencies, they are consulted, as appropriate, regarding the resolution of Self-Disclosure Protocol matters (Levinson, 2009).

The 2009 Health Information Technology Act HHS Recovery Act Oversight The American Recovery and Reinvestment Act of 2009 (Recovery Act) provides the Office of Inspector General (OIG), with $17 million in funding for oversight and review. The Recovery Act provided an additional $31,250,000 to the OIG for the purpose of ensuring the proper expenditure of funds under Medicaid. OIG will assess whether HHS is using the $165.4

29

billion in Recovery Act funds in accordance with legal and administrative requirements and that they are meeting the accountability objectives defined by the Office of Management and Budget (OIG, 2009). Whistleblower Protections under the Recovery Act The ARRA , provides protections for certain individuals who make specified disclosures relating to Recovery Act funds. Any non-federal employer receiving recovery funds is required to post a notice of the rights and remedies provided under this section of the Act (OIG, 2009). Information Management HHS Recovery Act The purpose is to increase access to health care, protect those in greatest need, create jobs, expand educational opportunities, lay the groundwork for successful health reform, and provide immediate relief to states and local communities. HHS has been entrusted with carefully investing $167 billion of taxpayers funds for these purposes, and is committed to making every dollar count (Federal Health, 2009). The HHS Recovery Act lays a solid foundation for health reform, and makes a down payment on the Presidents Zero to Five plan of early care and education of children by promoting access to health insurance and increasing the number of health care professionals

The 2009 Health Information Technology Act through Additional grants to healthcare workforce training institutions, Computerizing Americans health records, which will improve the quality of healthcare, reduce medical errors, and prevent unnecessary health care spending,

30

Advancing scientific and biomedical research and development related to health and human services,

Promoting economic and social well-being of individuals, families, and communities,

Strengthening necessary healthcare services for medically underserved individuals ,

Providing healthcare services to American Indians and Alaska Natives (Department of Health, 2009).

Freedom of Information Act (FOIA) This is a federal statue that allows individuals to request access to Federal agency records, except to the extent records are protected from disclosure by the Freedom of Information Act (Justice Department,2009). 482.24 Condition of Participation: Medical record services. Every hospital that accepts payment for Medicare and Medicaid patients must comply with the Center for Medicare and Medicaid Conditions of Participation. This regulation includes specific instructions for hospitals as well as defining criteria and standards for medical records. This includes the organization and staffing requirements for the medical records department, the


31

standardized format and the retention requirements for the records. It also identifies each of the specific types of documents that must be present, as well as the required content and documentation standards (CMS, 2009). Substance Abuse Rules Federal laws relating to substance abuse records came into being due to the sensitivity of such information. These special rules apply where the facility has any special substance abuse care unit. General medical care is not affected. There are stern monetary penalties for noncompliance (SAMSA, 2004). Joint Commission on Accreditation of Healthcare Organization Standards Specifically defines required standards for hospitals and healthcare organizations with respect to the content of the medical record, including IM.2.20 data integrity, IM.2.30 addresses continuity and disaster recovery for both hard copy and electronic records, and a myriad of other very specific requirements for organizations seeking accreditation. This accreditation process is required for all Medicare providers (The Joint Commission, 2009). Medical and Healthcare Title 42: Public Health Specific portion of the United States Code that identifies requirements for public health, social welfare, and civil rights. Specific requirements for hospitals and record keeping regulations are outlined (See Appendix C). Section 3012 of the Public Health Service Act The Health Information Technology Extension Program (Extension Program), authorized by Section 3012 of the Public Health Service Act as amended by ARRA - will establish a

The 2009 Health Information Technology Act collaborative consortium of Health Information Technology Regional Extension Centers facilitated by the national Health Information Technology Research Center. The Extension

32

Program will offer providers across the nation, technical assistance in the selection, acquisition, implementation, and meaningful an EHR to improve health care quality and outcomes (Public Health, 2009). Federal Medical Care Recovery Act (FMCRA) The Medical Care Recovery Act provides that, when the government treats or pays for the care of a military member, retiree, or dependent, it may recover its expenses from any third party legally liable for the injury or disease. The key to understanding the complexities of the FMCRA is to realize that the Federal Government operates one of the largest health care systems in the world (MCRA, 2007). Other Federal Laws In addition to being subject to HIPAA and Substance Abuse Confidentiality Requirements, healthcare organizations may be subject to several federal laws that touch in some way on privacy of health information. The Preamble to the Privacy Rule lists the following applicable laws: Privacy Act of 1974, Family Educational Rights and Privacy Act, Freedom of Information Act, Employee Retirement Income Security Act of 1974 (ERISA), Gramm-LeachBliley Act, federally funded health programs regulations, Food, Drug and Cosmetic Act, Clinical Laboratory Improvement Amendment, federal disability and non-discrimination laws, and U.S. Safe Harbor Privacy Principles. In addition, many federal regulations require disclosure of specific PHI for specific purposes in specific circumstances (Miller, 2007).

The 2009 Health Information Technology Act Federal Rule of Evidence, Article VIII Defines the requirements that a record must have to meet the federal and state rules of evidence to stand as a legal business record (Federal Rule, 1997). ONCs Federal HIT-EHR Strategic Plan: 2008-2012:

33

This plan brings together all HIT-EHR Federal efforts in a coordinated fashion, setting a number of goals, objectives, and strategies. The goals include privacy and security, interoperability, widespread adoption, and collaborative governance. The plan catalogs activities from many Federal agencies that focus on HIT (Federal Health,2008). The Patient Safety and Quality Improvement Act of 2005 (PSQIA) Establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information called patient safety work product. Patient safety work product includes information collected and created during the reporting and analysis of patient safety events (Department of Health, 2005). Stark Laws Congress included a provision in the Omnibus Budget Reconciliation Act of 1989 (OBRA 1989) which barred self-referrals for clinical laboratory services under the Medicare program, effective January 1, 1992. This provision is known as "Stark I". The law included a series of exceptions to the ban in order to accommodate legitimate business arrangements. A number of observers recommended extending the ban to other services and programs. The Omnibus Budget Reconciliation Act of 1993 (OBRA 1993) expanded the restriction to a range of


34

additional health services and applied it to both Medicare and Medicaid; this legislation, known as "Stark II," also contained clarifications and modifications to the exceptions in the original law. Minor technical corrections to these provisions were included in the Social Security Amendments of 1994 (Centers for Medicare, 2009). On August 1,2006 Health and Human Services (HHS) Secretary Mike Leavitt announced the issuance of final regulations(published in the Federal Register on August 8, 2006) creating new information technology exceptions under the Federal Stark law and safe harbors under the Federal Anti-Kickback statute. The issuance of these regulations substantially increases the ability of hospitals and other providers of Medicare and Medicaid services to donate information technology to physicians without violating the Stark law or Anti-Kickback statute. The changes include: Provision of Information Technology Items or Services to Physicians at Fair Market Value, Pre-Existing Exception for Community-Wide Health Information Systems, Electronic Prescribing Items and Services, Electronic Health Records Items and Services, Interoperability Requirement, Receipt of Items or Services Not Condition for Doing Business with Donor, Prohibition Against Eligibility for Items or Services Based on Volume or Value of Referrals (OBrien, 2006). Physician Payment of 15% of Donors Cost under EHR Exception Under the EHR exception, perhaps the most significant change from the proposed

The 2009 Health Information Technology Act regulations is a requirement that the physician pay 15% of the donors cost for the EHR items and services, before receipt of the items and services (CMS, 2009). Donated Technology Not Equivalent to Technology Physician Already Possesses

35

The donated technology must not be technically or functionally equivalent to technology that the physician already possesses. Parallel Safe Harbors Under Federal Anti-Kickback Statute The final information technology safe harbors under the Federal Anti-Kickback statute are essentially identical to the information technology exceptions under the Federal Stark law. If the Federal Stark law applies (because there is a financial relationship between a physician and a provider of designated health services), any referral of a Medicare or Medicaid patients for designated health services is prohibited, unless the referral falls within one of the Stark exceptions. Only such referrals as qualify under one of the exceptions is permitted(CMS, 2009). The Federal Anti-Kickback statute prohibits the offer, payment or receipt of any financial inducement in exchange for the referral of Medicare or Medicaid patients. The safe harbors provide immunity for arrangements that satisfy their requirements. The failure to qualify for a safe harbor, however, does not mean that an arrangement is unlawful. Risk to Tax-Exempt Status: Prohibitions Against Private Benefit and Inurement In order to prevent or minimize the risk to a hospitals tax-exempt status, the hospital should be able to document and demonstrate the benefit which it or the community derives from the donation arrangement. For example, it can be argued that providing information technology items or services to physicians on its medical staff furthers the provision of safer and more effective patient care and advances the overall health of the community served by the hospital.


36

The issuance of the subject final regulations substantially increases the ability of hospitals and other providers of Medicare or Medicaid services to donate information technology to physicians without violating the Federal Stark law and the Federal Anti-Kickback statute. Such arrangements will need to be carefully structured with appropriate agreements compliant with the subject exceptions and safe harbors (OBrien, 2006). The Federal Advisory Committee Act (FACA) This federal law governs the behavior of federal advisory committees. Specifically, the Act restricts the formation of committees to those that are deemed essential, limits their powers to provision of advice to officers and agencies in the executive branch of the Federal Government and also limits the length of their term (Federal Advisory Committee, 1994). Regulatory Agencies and Their Responsibilities Multiple federal and state regulatory agencies play key roles in the implementation, strategy and management of this program. The individual agencies and their role are outlined as follows: Agency for Healthcare Research and Quality (AHRQ) AHRQ is a significant funding source for research and development across the HIT-EHR spectrum, with $166 million in grants and contracts specific to this effort. Funding is awarded to collect HIT-EHR data and to stimulate investment in HIT-EHR products. The Agency for Healthcare Research and Quality's mission is to improve the quality, safety, efficiency, and effectiveness of healthcare for all Americans. Information from AHRQ's research helps people make more informed decisions and improve the quality of healthcare services. AHRQ was formerly known as the Agency for Health Care Policy and Research (AHRQ, 2009).

The 2009 Health Information Technology Act The American Health Information Community The American Health Information Community (AHIC) is a federal advisory body,

37

chartered in 2005, to make recommendations to the Secretary of the U.S. Department of Health and Human Services on how to accelerate the development and adoption of health information technology (American Health, 2005). American National Standards Institute (ANSI) This organization accredits various standards-setting committees, and monitors their compliance with the open rule-making process they are required to follow to obtain ANSI accreditation. HIPAA prescribes that the standards mandated under it be developed by ANSIaccredited bodies (American National, 2009). The Centers for Disease Control and Prevention (CDC) To improve and support state health departments capacity for rapid scale of healthcare associated infections (HAI) prevention, dissemination of HHS evidence-based practices within hospitals, targeted monitoring and investigation of the changing epidemiology. Also require access to healthcare data and voluntary reports of hospital-related infections to the Centers for Disease Control and Prevention (CDC, 2007). Certification Commission for Healthcare Information Technology (CCHIT) CCHIT is a collaboration among three industry associations that are developing federal certification criteria and an inspection process for HIT-EHR under a three-year contract awarded in 2005 from HHS. Interoperability and security standards are central to certification. The Commission to date has certified over 100 ambulatory and inpatient systems as meeting federal guidelines (Certification, 2011).

The 2009 Health Information Technology Act The eHealth Initiative, A nonprofit organization that is dedicated to the promotion of HIT-EHR development. This organization is the best-known funding source for regional HIT efforts (eHealth, 2009). Electronic Healthcare Network Accreditation Commission (EHNAC) This organization tests transactions for consistency with the HIPAA requirements and subsequently accredits healthcare clearinghouses (State Alliance, 2009). Federal Communications Commission (FCC) As directed in the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission will develop a national broadband plan and consult with the

38

National Telecommunications and Information Administration of the Department of Commerce in their implementation of the Broadband Technology Opportunities Program. The Secretary of Commerce, in consultation with the FCC and following Congressional notification, may transfer funds to the FCC for carrying out these responsibilities. Federal HealthCare Architecture (FHA) The Federal Healthcare Architecture is responsible for ensuring that federal agencies can seamlessly exchange health data between and among themselves, with state, tribal and local governments; and with private sector healthcare organizations. In addition, they leverage federal expertise in creating a cross-agency health information interoperability architecture framework that provides a common vocabulary, simple tools and lifecycle processes (Federal Healthcare, 2009). Food and Drug Administration (FDA) The FDA will receive data from existing reporting systems regarding adverse events, as


39

well as provide support and regulatory guidance for pharmaceuticals and medical devices. They are responsible for regulations related to electronic signatures used in electronic medical records (Food and Drug, 2009). Health Informatics Standards Board (HISB) An ANSI-accredited standards group has developed an inventory of candidate standards for consideration as possible HIPAA standards (Health Informatics, 2009). The Health Information Security and Privacy Collaboration (HISPC) Established in June 2006 by RTI International through a contract with the U.S. Department of Health and Human Services, HISPC originally comprised 34 states and territories. HISPC phase 3 began in April 2008, and now comprises 42 states and territories. This organizations goal is to address the privacy and security challenges presented by electronic health information exchange through multi-state collaboration. Each HISPC participant continues to have the support of its state or territorial governor and maintains a steering committee and contact with a range of local stakeholders to ensure that developed solutions accurately reflect local preferences (Health Information, 2009). Health Information Technology Regional Centers A Federal Register Notice and Request for Comments has been published announcing the draft description of the program for establishing regional extension centers to assist providers seeking to adopt and become meaningful users of health information technology, as authorized by the American Recovery and Reinvestment Act of 2009 (Health Information, 2009). Health IT Policy Committee The ARRA provides that the HIT Policy Committee be created under the Federal


40

Advisory Committee Act (FACA) and charged this committee with making recommendations to the National Coordinator for Health Information Technology. They are responsible for the development of a policy framework for the implementation and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information. Among the areas for infrastructure standards, the Policy Committee is to consider: Implementation specifications shall include named standards, architectures, and software schemes for the authentication and security of individually identifiable health information and other information as needed to ensure the reproducible development of common solutions across disparate entities, Technologies that protect the privacy of health information and promote security in a qualified electronic health record including the segmentation and protection from disclosure of specific and sensitive individually identifiable health information, To minimize the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns, To develop technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals when such information is transmitted in the nationwide health information network or physically transported outside of the secured, physical perimeter of a health care provider, health plan, or healthcare clearing house (HIT Policy, 2009). Health IT Standards Committee The ARRA requires the HIT Standards Committee be created under FACA and charged

The 2009 Health Information Technology Act with making recommendations to the National Coordinator for Health Information Technology

41

on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information. Initially, the HIT Standards Committee will focus on the policies developed by the Health IT Policy Committee (HIT Standards, 2009). Health Resources and Services Administration (HRSA) This agency of the U.S. Department of Health and Human Services, is the principal Federal Agency charged with increasing access to health care for those who are medically underserved (Health Resources, 2009). The Healthcare Information Technology Standards Panel (HITSP) This is a cooperative partnership between the public and private sectors. The Panel was formed for the purpose of harmonizing and integrating standards that will meet clinical and business needs (Healthcare Panel, 2009). HHS Patient Safety Task Force Federal and state agencies, accrediting bodies and other organizations collect data that can provide insights into the causes of medical errors and strategies to increase patient safety, but these separate sources of information are difficult to compare and analyze. In April 2001, Secretary Thompson created the HHS Patient Safety Task Force to coordinate the efforts of these various data-collection sources to promote more consistent, effective use of the information (Department of Health, 1999). Inspector General (IG) Each federal agency has an Inspector General (IG) responsible for overseeing how federal funds are spent and for working with the agency to minimize fraud, waste, and abuse. IGs

The 2009 Health Information Technology Act for agencies who received Recovery Act funds are reviewing their stimulus spending to ensure Recovery-related projects meet legal and administrative requirements. The IGs are also

42

reviewing their agencies administrative practices to ensure that effective controls are in place for managing Recovery funds (Inspector General, 2009). National Center for Health Statistics (NCHS) A federal organization within the CDC that collects, analyzes and distributes health care statistics. The NCHS maintains the ICD-9 CM codes (National Center, 2009). National Association of Health Data Organizations (NAHDO) The National Association of Health Data Organizations (NAHDO) is a national, not-for-profit membership organization dedicated to improving health care through the collection, analysis, dissemination, public availability, and use of health data. NAHDO provides leadership in health care information management and analysis, promotes the availability of and access to health data, and encourages the use of data to make informed decisions and guide the development of health policy. NAHDO provides information on current issues and strategies to develop a nationwide, comprehensive, integrated health information system, sponsors educational programs, provides assistance, and serves as a forum to foster collaboration and the exchange of ideas and experiences among collectors and users of health data (National Association, 2009). National Committee on Vital and Health Statistics (NCVHS) The National Committee on Vital and Health Statistics was established by Congress to serve as an advisory body to the Department of Health and Human Services on health data, statistics and national health information policy. It fulfills important review and advisory

The 2009 Health Information Technology Act functions relative to health data and statistical problems of national and international interest, stimulates or conducts studies of such problems and makes proposals for improvement of the Nations health statistics and information systems. In 1996, the Committee was restructured to

43

meet expanded responsibilities under the Health Insurance Portability and Accountability Act of 1996 (National Committee, 2009). The National Health Information Network (NHIN): To provide a secure, nationwide, interoperable health information infrastructure that will connect providers, consumers, and others involved in supporting health and healthcare (National Health Information, 2009). National Committee for Quality Assurance (NCQA) This organization accredits managed care plans or HMOs. Their role will expand to include certification of those organizations to insure they are compliant with HIPAA requirements. This organization maintains the (HEDIS) Health Employer Data and Information Sets (National Committee, 2009). National Uniform Billing Committee (NUBC) This organization is chaired and hosted by the American Hospital Association. They maintain the UB04 institutional billing form and the data element specifications for both the hardcopy form and the electronic format. The NUBC has a formal consultative role under HIPAA for all transactions affecting institutional healthcare services (National Uniform, 2009). Office for Civil Rights (OCR) Responsible for the enforcement of Health Insurance Portability and Accountability Act (Office of Civil Rights, 2009).

The 2009 Health Information Technology Act Office of the Inspector General (OIG): The mission of the Office of Inspector General (OIG), as mandated by Public Law 95452 (as amended), is to protect the integrity of Department of Health and Human Services programs, as well as the health and welfare of the beneficiaries of those programs. Within this

44

capacity they maintain legal access to all health records throughout the United States (Office of the Inspector, 2009). The Office of the National Coordinator for Health Information Technology (ONC) The ONC serves as the resource for the entire health system to support the adoption of health information technology for the promotion of nationwide health information exchange to improve healthcare. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services. (Office of the Inspector, 2009). ONC is the principal Federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act [HITECH Act] of 2009. The Coordinators responsibilities include: drafting HIT-EHR policy, establishing strategic action plans, and acting as a guiding force in nationwide electronic healthcare record development (Office of the Inspector, 2009). Office of Recovery Act Coordination This Office will ensure that HHS fully implements the Acts requirements. This includes ensuring that programs are designed to meet the Recovery Acts objectives, that reporting due dates are met, performance outcomes are established and tracked, risks of fraud and abuse are

The 2009 Health Information Technology Act mitigated, and that the public is kept informed through the Web and other means of communication. Once programs are in place, this office will be responsible for reporting, auditing, and investigating for fraud and abuse; and protecting the confidentiality and integrity of HHS data systems (Monegain, 2009). Recovery Accountability and Transparency Board The Recovery Board oversees Recovery Act spending and prevents and detects fraud, waste and mismanagement of the recovery fund expenditures (Recovery Board, 2009). Regional Health Information Organizations (RHIOs) These are entities in which local healthcare providers and plans agree to communicate

45

health information over a standardized electronic network. It is estimated that there are between 100 and 200 RHIOs nationwide. They range in size from statewide structures to local city efforts and are mainly funded by federal funds, regional providers, and philanthropic grants (Regional Health, 2009). State Alliance for eHealth: The State Alliance was created through an HHS contract with the National Governors Association (NGA) in 2006. The State Alliance for e-Health is a consensus-based, executivelevel body of state elected and appointed officials, formed to address the unique role state governments can play in facilitating adoption of interoperable electronic HIE. It is also intended to be a forum through which stakeholders can work together to identify new inter- and intrastatebased policies and best practices and explore solutions to programmatic and legal issues related to the exchange of health information (State eHealth, 2009).

The 2009 Health Information Technology Act State Level Health Information Exchange Consensus Project The State-level Health Information Exchange Consensus Project is managed through a

46

contract with American Health Information Management Associations Foundation of Research and Education. The projects main objective is to provide a forum for ONC to work with states to ensure all health information exchange activities throughout the Unites States align. This is a forum that enables ONC to disseminate information about the national agenda and for the states based efforts to inform the federal government thereby enabling a nationwide alignment of all health information exchange activities (State Level, 2009). United States Department of Health and Human Services (HHS) To coordinate and manage the complexity of HHS role in the Recovery Act, HHS established an Office of Recovery Act Coordination (United States Department of Health, 2009). United States Department of Agriculture (USDA) The Rural Development Broadband Program supports the expansion of broadband service in rural areas through financing and grants to projects that provide access to high speed service to facilitate economic development in locations without sufficient access to such service (USDA, 2009) Veterans Administration To provide software development, staff, and associated supplies and equipment to support implementation of the Post-9/11 GI Bill and to support upgrades to other VHA systems. The VHA Office of Information also provides use of an electronic medical record through their demo system that is down loadable on their website (VA, 2009).

The 2009 Health Information Technology Act California Legislation and Action Plans

47

Achieving electronic health information exchange (HIE) through the application of health information technology (HIT) is one of the cornerstones of the overall healthcare reform strategy in California. This includes implementation of interoperable HIE, key strategies to achieve the goals of better health care outcomes, efficiencies in the delivery of healthcare, and strengthening emergency and disaster response preparedness. The California Health and Human Services Agency (CHHS) serves as the lead, coordinating all HIE and HIT issues for the State. CHHS works with the State Chief Information Officer (OCIO), the Department of Managed Care and the Transportation and Housing Agency to oversee the States HIE and HIT related efforts (Wulsin, 2008). The structure for achieving these goals is as follows: Governance Establish a governance structure that achieves broad-based stakeholder collaboration with transparency, buy-in and trust. Set goals, objectives and performance measures for the exchange of health information that reflect consensus among the health care stakeholder groups, and finalize requirements related to meaningful use crit